This section provides inbound access examples, along with the IP addresses that

Prisma Access

assigns in various deployments.

The following example shows a sample configuration to enable inbound access for an application (www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and a protocol of TCP to the application. You then enter these values in

Prisma Access

when you configure inbound access. After you save and commit your changes,

Prisma Access

assigns a public IP address to the application you defined, in this case 52.1.1.1.

Prisma Access

performs source network address translation (source NAT) on the packets by default. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), you can disable source NAT.

The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the source IP address in the routing table changes from the IP of the user’s device (34.1.1.1) to the remote network’s

EBGP Router

address (

Panorama

Cloud Services

Status

Network Details

Remote Networks

EBGP Router

). (172.1.1.1).

The following figure shows the return path of traffic with source NAT enabled.

If you disable source NAT,

Prisma Access

still performs destination NAT, but the source IP address of the request is unchanged.

For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address (34.1.1.1).

If you have a resource that is in a remote network site that has inbound access enabled and you want users at non-inbound access sites to have access to that resource, you can

Allow inbound flows to other Remote Networks over the

Prisma Access

backbone

when you configure the non-inbound access remote network.