When a client on your internal network sends
a request, the source address in the packet contains the IP address
for the client on your internal network. If you use private IP address ranges
internally, the packets from the client will not be able to be routed
on the Internet unless you translate the source IP address in the
packets leaving the network into a publicly routable address.
On
the firewall you can do this by configuring a source NAT policy
that translates the source address (and optionally the port) into
a public address. One way to do this is to translate the source
address for all packets to the egress interface on your firewall,
as shown in the following procedure.
Beginning with PAN-OS 10.2.4, you can enable
persistent NAT
for DIPP to mitigate the compatibility issues that symmetric NAT may have
with applications that use STUN.