Next-Generation Firewall
NAT Translated Packet Tab
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
NAT Translated Packet Tab
- Policy > NAT > Translated Packet
For Source Address Translation, select the Translated
Packet tab to determine the type of translation
to perform on the source, the
address, and possibly the port to which the source is translated.

You can also enable Destination Address Translation for an internal
host to make it accessible by a public IP address. In this case,
you define a public source address and destination address in the Original
Packet tab for an internal host and, on the Translated
Packet tab, you configure Static IP or Dynamic
IP (with session distribution) and enter the Translated
Address. Then, when the public address is accessed,
it is translated to the internal (destination) address of the internal
host.
NAT Rule - Translated Packet Settings | Description |
---|---|
Source Address Translation | Select the Translation Type (dynamic
or static address pool) and enter an IP address or address range
(address1—address2) to which the source address is translated (Translated
Address). The size of the address range is limited by the
type of address pool:
|
Source Address Translation (cont) |
|
Bi-directional | (Optional) Enable bidirectional
translation for a Static IP source address translation
if you want the firewall to create a corresponding translation (NAT or
NPTv6) in the opposite direction of the translation you configure. If
you enable bidirectional translation, you must ensure that you have security
policies in place to control the traffic in both directions. Without
such policies, the bidirectional feature allows packets to be translated
automatically in both directions. |
Destination Address Translation | Configure the following options
to have the firewall perform destination NAT. You typically use
Destination NAT to allow an internal server, such as an email server,
to be accessible from the public network. |
Translation Type and Translated Address | Select the type of translation
the firewall performs on the destination address:
|
Session Distribution Method | If you select the destination NAT translation
to be to Dynamic IP (with session distribution),
it’s possible that the destination translated address (to an FQDN,
address object, or address group) can resolve to more than one address.
You can choose how the firewall distributes (assigns) sessions among those
addresses to provide more balanced session distribution:
|
Enable DNS Rewrite | In PAN-OS 9.0.2 and later 9.0 releases,
if the destination NAT policy rule type is ipv4 and
the destination address translation type is Static IP,
the Enable DNS Rewrite option is available.
You can enable DNS rewrite if you use destination NAT and also use
DNS services on one side of the firewall to resolve FQDNs for a
client on the other side of the firewall. When the DNS response
traverses the firewall, the firewall rewrites the IP address in
the DNS response, relative to the original destination address or
translated destination address that the DNS response matches in
the NAT policy rule. A single NAT policy rule has the firewall perform
NAT on packets that match the rule and perform NAT on IP addresses in DNS responses
that match the rule. You must specify how the firewall performs
NAT on an IP address in a DNS response relative to the NAT rule—reverse
or forward:
|