- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-21-2018 06:08 AM
Greetings,
I am trying to create the NAT IP only rule as outlined here.
https://www.ericooi.com/palo-alto-firewall-home-network/
I have a single External WAN interface Etherenet 1/1.
I am wondering how the referenced NAT SOURCE Translation interface (Object/Physical/Other???) is created to configure the Source Translation?
I am only able to add 'internal objects/interfaces when configuring on my PA-220.
---------------------------------------------------------------------------------------------------------------------------------------------------------
Online Console Gaming
Problem: NAT Dynamic IP & Port Policy
Anyone who knows me knows I’m a giant Nintendo fanboy. Shortly after setting up the Palo Alto firewall, I decided to play some online Mario Kart, only to find that my new Nintendo Switch would no longer connect. Sadface.
It turns out that Palo Alto firewalls do not support “Universal Plug and Play” (UPnP) which had allowed me to connect easily on my consumer-grade wireless router. This makes sense from an enterprise-grade firewall perspective as you would want to explicitly control what’s allowed inside and outside of your network.
Back to searching and I found a helpful comment on a post discussing how Palo Alto handles game console traffic. It turns out you need to create a specific NAT policy ahead of your default internet outbound NAT rule. This NAT policy should specify the IP of your video game console as the source address and use only “dynamic-ip” source translation instead of “dynamic-ip-and-port” source translation.
So that I don’t have to periodically update the Nintendo Switch’s source address in the NAT rule due to DHCP, I configured the firewall’s DHCP relay to always assign my Switch the same IP and created an Address Object on the firewall using this same IP. See the screenshot below for how the NAT policies ultimately looked in the end.