Network Address Translation (NAT) is a crucial network function that modifies network address information in the IP header of packets while they are in transit. This process facilitates efficient IP address management and often builds or simplifies connectivity in the data plane. Common applications of NAT include:

• Internet access: NAT allows internal devices with private (RFC 1918) addresses to communicate with external networks using a single or limited number of public IP addresses
• External connectivity: NAT makes it possible for external users to access internal servers and their services by translating internal private IP addresses (and ports) to a public IP address
• Overlapping subnets: NAT helps in managing IP conflicts when different networks have overlapping address spaces by translating these addresses

NAT on PAN-OS

Palo Alto Networks firewalls, running the PAN-OS operating system, provide robust NAT functionalities to meet diverse network requirements. The two main types of NAT available on PAN-OS include Source NAT and Destination NAT.

Source NAT (SNAT) – source IP address/port translations:

• Dynamic IP (DIP): performs translation on the source IP address using a random address from the configured IP pool (dynamic IP address assignment)
• Dynamic IP and Port (DIPP): same as above, but the translation occurs on both the source IP address and TCP/UDP port number. This method is typically used to provide internet access from multiple internal hosts
• Static IP: translates a specific IP address to another one, maintaining a one-to-one relationship

Destination NAT (DNAT) – destination IP address/port translations:

• Static Destination NAT: translates a (typically) public IP address to a private IP address, commonly used for allowing external access to internal services (e.g. web servers)
• Port Forwarding: a form of static destination NAT where specific ports on a (typically) public IP are translated to specific ports on a private IP

NAT Configuration

Configuring NAT on a Palo Alto Networks firewall involves defining NAT policies that specify the translation rules. These rules are evaluated sequentially from the top of the policy to the bottom, and the first matching rule is enforced, ending further processing (remaining rules are not checked). The type of translation configured in a rule does not give it priority over other rules; only the rule order matters to PAN-OS. Therefore, more specific rules (e.g., static translations) should be placed above broader rules.

NAT policy rule structure:

• Name – name of the rule
• Original Packet – this section defines the classification criteria for the traffic to be translated. It specifies the source/destination IP addresses and zones, and port numbers that tell the firewall what traffic should be subject to the translation process. This describes the original packet and is sometimes referred to as “pre-NAT”
• Translated Packet – this section defines the modifications that should be applied to the packet (new source/destination IP addresses, port numbers) during the translation process. This describes the translated packet and is sometimes referred to as “post-NAT”

The example below shows a NAT rule named “NAT-INSIDE-USERS.” This rule translates traffic coming from the “INSIDE” zone and going to the “OUTSIDE” zone, as long as the source IP addresses belong to the “LAN1” or “LAN2” subnets. This rule applies regardless of the service or destination address:

As a result, traffic that matches the above NAT rule will be source-translated using an IP address dynamically allocated from an IP pool “NAT-POOL-INSIDE”. The destination address is left intact:

Impact of NAT on Security Policy

It’s essential to understand the distinction between NAT policy rules and security policy rules on PAN-OS. Remember that for the traffic to be translated (NAT policy) it must be first allowed by a security policy rule.

Even that both policies refer to IP addresses of the original packet (before translation), the main difference is that NAT policy expects the destination zone to be set based on what zone the firewall uses to route to the packet’s destination IP address (pre-NAT destination zone), where security policy rule should always refer to the post-NAT destination zone (based on the new/translated destination address). In other words, if the destination IP address in a packet changes due to NAT, you should verify what interface will the firewall use to get to the new destination and this way find the correct zone. One method to obtain this information is to perform a FIB (Forwarding Information Base) lookup on the translated address using a special CLI command:

test routing fib-lookup

An example of how these requirements could affect your policy rule structure is clearly visible below:

As you can see, the second NAT policy rule refers to the same zone (“OUTSIDE”) for both source and destination. This is because the destination IP address in the original packet is a public IP address that the firewall reaches via the outside interface, and therefore through the “OUTSIDE” zone.

In contrast to NAT policy rules, security policy rules use different zones because the FIB lookup is performed for the new (translated) address. Since this address is private, it is reachable via the “INSIDE” zone:

—

Understanding and configuring NAT on Palo Alto Networks firewalls is critical for efficient network management and security. By leveraging the NAT capabilities of PAN-OS, organizations can optimize IP address usage, secure their network infrastructure, and ensure seamless connectivity across diverse network environments.