Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
When your public-facing servers have private
IP addresses assigned on the network segment where they are physically
located, you need a source NAT rule to translate the source address
of the server to the external address upon egress. You create a
static NAT rule to translate the internal source address, 10.1.1.11,
to the external web server address, 203.0.113.11 in our example.
However,
a public-facing server must be able to both send and receive packets.
You need a reciprocal policy that translates the public address
(the destination IP address in incoming packets from Internet users)
into the private address so that the firewall can route the packet
to your DMZ network. You create a bi-directional static NAT rule,
as described in the following procedure. Bi-directional translation
is an option for static NAT only.
- Create an address object for the web server’s internal IP address.
- Select ObjectsAddresses and Add a Name and optional Description for the object.Select IP Netmask from the Type list and enter the IP address of the web server on the DMZ network, 10.1.1.11 in this example.Click OK.If you did not already create an address object for the public address of your web server, you should create that object now.Create the NAT policy.
- Select PoliciesNAT and click Add.On the General tab, enter a descriptive Name for the NAT rule.On the Original Packet tab, select the zone you created for your DMZ in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone list.In the Source Address section, Add the address object you created for your internal web server address.On the Translated Packet tab, select Static IP from the Translation Type list in the Source Address Translation section and then select the address object you created for your external web server address from the Translated Address list.In the Bi-directional field, select Yes.Click OK.Commit.Click Commit.