Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
Focus
Focus

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Table of Contents

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

When a client on your internal network sends a request, the source address in the packet contains the IP address for the client on your internal network. If you use private IP address ranges internally, the packets from the client will not be able to be routed on the Internet unless you translate the source IP address in the packets leaving the network into a publicly routable address.
On the firewall you can do this by configuring a source NAT policy that translates the source address (and optionally the port) into a public address. One way to do this is to translate the source address for all packets to the egress interface on your firewall, as shown in the following procedure.
Beginning with PAN-OS 10.2.4, you can enable persistent NAT for DIPP to mitigate the compatibility issues that symmetric NAT may have with applications that use STUN.
  1. Create an address object for the external IP address you plan to use.
    1. Select ObjectsAddresses and Add a Name and optional Description for the object.
    2. Select IP Netmask from the Type and then enter the IP address of the external interface on the firewall, 203.0.113.100 in this example.
    3. Click OK.
      Although you do not have to use address objects in your policies, it is a best practice because it simplifies administration by allowing you to make updates in one place rather than having to update every policy where the address is referenced.
  2. Create the NAT policy.
    1. Select PoliciesNAT and click Add.
    2. On the General tab, enter a descriptive Name for the policy.
    3. (Optional) Enter a tag, which is a keyword or phrase that allows you to sort or filter policies.
    4. For NAT Type, select ipv4 (default).
    5. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone list.
    6. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type list in the Source Address Translation section of the screen.
    7. For Address Type, there are two choices. You could select Translated Address and then click Add. Select the address object you just created.
      An alternative Address Type is Interface Address, in which case the translated address will be the IP address of the interface. For this choice, you would select an Interface and optionally an IP Address if the interface has more than one IP address.
    8. Click OK.
  3. Commit your changes.
    Click Commit.
  4. (PAN-OS 10.2.4 and later 10.2 releases) Enable persistent NAT for DIPP.
    1. Access the CLI.
    2. > set system setting persistent-dipp enable yes
    3. > request restart system
    4. If you have HA configured, repeat this step on the other HA peer.
  5. (Optional) Access the CLI to verify the translation.
    1. Use the show session all command to view the session table, where you can verify the source IP address and port and the corresponding translated IP address and port.
    2. Use the show session id <id_number> to view more details about a session.
    3. If you configured Dynamic IP NAT, use the show counter global filter aspect session severity drop | match nat command to see if any sessions failed due to NAT IP allocation. If all of the addresses in the Dynamic IP NAT pool are allocated when a new connection is supposed to be translated, the packet will be dropped.