This section provides inbound access examples, along with the IP addresses that Prisma Access assigns in various deployments.

The following example shows a sample configuration to enable inbound access for an application (www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and a protocol of TCP to the application. You then enter these values in Prisma Access when you configure inbound access. After you save and commit your changes, Prisma Access assigns a public IP address to the application you defined, in this case 52.1.1.1.

Prisma Access performs source network address translation (source NAT) on the packets by default. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), you can disable source NAT.

The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the source IP address in the routing table changes from the IP of the user’s device (34.1.1.1) to the remote network’s EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksEBGP Router). (172.1.1.1).

The following figure shows the return path of traffic with source NAT enabled.

If you disable source NAT, Prisma Access still performs destination NAT, but the source IP address of the request is unchanged.

For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address (34.1.1.1).

If you have a resource that is in a remote network site that has inbound access enabled and you want users at non-inbound access sites to have access to that resource, you can Allow inbound flows to other Remote Networks over the Prisma Access backbone when you configure the non-inbound access remote network.