Palo Alto NAT & Destination NAT

What is NAT & Destination NAT?

NAT (network address translation) is a method that allows devices on a local network to share a single public IP address for accessing resources on the internet. Destination NAT (DNAT) specifically focuses on modifying the destination IP address of incoming packets to redirect incoming network traffic to a different destination IP address or port number within the local network.

Configuring NAT

Configuring Security Policy

On Policies » Security, create new

Give it a name

Set the source to be the Inside Zone

Set the service to be any

Configuring NAT Policy

On Policies » NAT, create new

Give it a name

Set the source to be the Inside Zone and destination to be the Outside Zone

Configure the translation type to dynamic ip and port, with the IP Address used is the outside interface

Testing the NAT Configuration

Now on the host in the inside network, we should be able to access the internet

On Monitor » Traffic, we should see the traffic going from inside to the internet

On Monitor » Session Browser, we can see the Policy used as well as the detail of the traffic and its response

Configuring Destination NAT

D-NAT Topology

Configuring NAT Policy

On Policies » NAT, create new

Give it a name

Set both the source and destination zone to be outside, and the destination address to be the Public NAT IP

Set the translated address to be the host’s IP on the inside network

Configuring Security Policy

On Policies » Security, create new

Give it a name

Set the source to be the Outside Zone

Set the destination to be the Inside Zone, but the address is is the NAT Public IP

Set the service to be any

Testing the D-NAT Configuration

Now the Public NAT IP should be accessible from internet

And looking at the Traffic Monitor, we can also see the traffic coming from outside to the NAT IP