Destination Static NAT vs Source Static NAT with Bidirectional

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Destination Static NAT vs Source Static NAT with Bidirectional

L2 Linker

Static Destination NAT: This NAT Rule allows users on Internet to initiate traffic to access internal or dmz server with a public IP of the server let's say 13.1.1.10. The inbound request has a Layer 3 destination IP 13.1.1.10, the firewal then applies a Destination NAT to translate the this destination IP 13.1.1.10 to the private IP of the server 172.16.1.10.

 

An Example is a web server hosting the webpage of your company and allowing external users from the internet to access it.

 

DNAT.png

 

Static source NAT Bidirectional: This NAT Rule enable traffic to be initiated in both direction, inbound connection initiated by external users on internet to the server using its public IP as the Layer 3 destination IP 13.1.1.10 then the firewall translates it to the serve's private IP 172.16.1.10 and outbound (new) connection initiated by the server to internet then the firwall translates the Source private IP 172.16.1.10 to the public IP 13.1.1.10.

 

Static source NAT Bidirectional in fact is doing Source NAT (SNAT) and Destination NAT (DNAT), depending to the direction of the traffic, this is why we call it Bidirectional NAT.

 

For inbound traffic initiated from internet to the server, the firewall will apply Destination NAT Rule to translate the public IP to private IP so the external users can access the server.

 

For outbound traffic initiated from the server to internet, the firewall will apply Source NAT to translate the private IP to the public IP so that the server can access internet.

 

Capture d'écran 2023-12-14 073550.png

 

The common scenario is when you deploy a Mail Transfer Agent MTA like Email Gateway such as Cisco Email Secure Gateway (Formerly Cisco Email Security Appliance) or Fortimail to relay email to internet.

 

If you are using Destination NAT Rule to allow external users to access the internal server and at the same time you receive a requirement to allow the traffic to be initiated by the server, you need to create a second Source NAT Rule to translate the source private IP to public IP. In this case you keep separate NAT rules for inbound and outbound traffic.

 

  • DNAT for inbound connection
  • SNAT for outbound connection

 

The Bidirectional NAT combines both SNAT and DNAT, how? When you create a bi-directional rule, it creates the outbound SNAT rule as you would expect to translate the source private IP to source public IP for traffic initiated by the server to internet, but it also creates an implicit inbound DNAT rule automatically in the reverse direction for traffic initiated by internet users to access the server.

 

Many vendors dont recommend the Bidirectional NAT as you don't have full control of the return traffic (I mean the inbound traffic initiated by internet users). Palo Alto Firewall creates the implicit inbound rule with any source zone and you dont have granular control over the traffic. Another limitation of Bidirectional NAT, if you add service or port translation, which means that the rule will match only this port for both inbound and outbound traffic. For example you create an explicit Source Static NAT Rule with a specific destination service port, the same service port will be used in the implicit inbound DNAT Rule so you lose the control over the service port in the inbound connections.

 

So to better control and manage your NAT configuration, It is recommended to have specific inbound destination NAT rules to your servers and Outbound source NAT Rules without bidirectional option if your servers need to connect to Internet.

 

0 REPLIES 0
  • 3657 Views
  • 0 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!