>
    NAT Translated Packet Tab
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Policies
    4. Policies > NAT
    5. NAT Translated Packet Tab
    Download PDF
    Next-Generation Firewall

    NAT Translated Packet Tab

    Table of Contents

    NAT Translated Packet Tab

    • Policies > NAT > Translated Packet
    For Source Address Translation, select the Translated Packet tab to determine the type of translation
    to perform on the source, the address, and possibly the port to which the source is translated.
    You can also enable Destination Address Translation for an internal host to make it accessible by a public IP address. In this case, you define a public source address and destination address in the Original Packet tab for an internal host and, on the Translated Packet tab, you configure Static IP or Dynamic IP (with session distribution) and enter the Translated Address. Then, when the public address is accessed, it is translated to the internal (destination) address of the internal host.
    NAT Rule - Translated Packet Settings
    Description
    Source Address Translation
    Select the Translation Type (dynamic or static address pool) and enter an IP address or address range (address1—address2) to which the source address is translated (Translated Address). The size of the address range is limited by the type of address pool:
    • (PAN-OS 11.1.1 and later releases) Persistent Dynamic IP and Port—VoIP, video, cloud-based video conferencing, audio conferencing, and other applications often use DIPP and may require the Session Traversal Utilities for NAT (STUN) protocol. DIPP NAT uses symmetric NAT, which may have compatibility issues with applications that use STUN. To alleviate these issues, Persistent Dynamic IP and Port provides additional support for connectivity with such applications. When persistent NAT for DIPP is enabled, the binding of a private source IP address/port pair to a specific public (translated) source IP address/port pair persists for subsequent sessions that arrive having that same original source IP address/port pair. You can configure persistent DIPP in individual NAT policy rules.
    • Dynamic IP and Port—Address selection is based on a hash of the source IP address. For a given source IP address, the firewall uses the same translated source address for all sessions. Dynamic IP and Port (DIPP) source NAT supports approximately 64,000 concurrent sessions on each IP address in the NAT pool. Some models support oversubscription, which allows a single IP to host more than 64,000 concurrent sessions.
      Palo Alto Networks® DIPP NAT supports more NAT sessions than are supported by the number of available IP addresses and ports. With oversubscription, the firewall can use IP address and port combinations two times simultaneously on PA-220, PA-400 Series, PA-800 Series, PA-1400 Series, PA-3410, PA-3420, VM-50, VM-300, and VM-1000-HV firewalls, four times simultaneously on PA-3200 Series, PA-3430, and PA-3440 firewalls, and eight times simultaneously on PA-5200 Series, PA-5400 Series, PA-7050, PA-7080, VM-500, and VM-700 firewalls when destination IP addresses are unique.
    • Dynamic IP—Translates to the next available address in the specified range but the port number remains unchanged. Up to 32,000 consecutive IP addresses are supported. A dynamic IP pool can contain multiple subnets, so you can translate your internal network addresses to two or more separate public subnets.
    • Advanced (Dynamic IP/Port Fallback)—Use this option to create a fallback pool that performs IP and port translation and is used if the primary pool runs out of addresses. You can define addresses for the pool by using the Translated Address option or the Interface Address option; the latter option is for interfaces that receive an IP address dynamically. When creating a fallback pool, make sure addresses do not overlap with addresses in the primary pool.
    Source Address Translation (cont)
    • Static IP—The same address is always used for the translation and the port is unchanged. For example, if the source range is 192.168.0.1—192.168.0.10 and the translation range is 10.0.0.1—10.0.0.10, address 192.168.0.2 is always translated to 10.0.0.2. The address range is virtually unlimited.
      You must use Static IP translation for NPTv6 Source Address Translation. For NPTv6, the prefixes configured for Translated Address must be in the format xxxx:xxxx::/yy and the address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /112.
    • None—Translation is not performed.
    Bi-directional
    (Optional) Enable bidirectional translation for a Static IP source address translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure.
    If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.
    Destination Address Translation
    Configure the following options to have the firewall perform destination NAT. You typically use Destination NAT to allow an internal server, such as an email server, to be accessible from the public network.
    Translation Type and Translated Address
    Select the type of translation the firewall performs on the destination address:
    • None (default)
    • Static IP—Enter a Translated Address as an IP address or range of IP addresses and a Translated Port number (1 to 65535) to which the original destination address and port number are translated. If the Translated Port field is blank, the destination port is not changed.
      For NPTv6, the prefixes configured for the Destination prefix Translated Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /112.
      Translated Port is not supported for NPTv6 because NPTv6 is strictly prefix translation. The Port and Host address section is simply forwarded unchanged.
      Static IP translation for IPv4 also allows you to Enable DNS Rewrite (described below).
    • Dynamic IP (with session distribution)—Select or enter a Translated Address that is an FQDN, an address object, or an address group from which the firewall selects the translated address. If the DNS server returns more than one address for an FQDN or if the address object or address group translates into more than one IP address, the firewall distributes sessions among those addresses using the specified Session Distribution Method.
    Session Distribution Method
    If you select the destination NAT translation to be to Dynamic IP (with session distribution), it’s possible that the destination translated address (to an FQDN, address object, or address group) can resolve to more than one address. You can choose how the firewall distributes (assigns) sessions among those addresses to provide more balanced session distribution:
    • Round Robin—(default) Assigns new sessions to IP addresses in rotating order. Unless your environment dictates that you choose one of the other distribution methods, use this method.
    • Source IP Hash—Assigns new sessions based on a hash of source IP addresses. If you have incoming traffic from a single source IP address, then select a method other than Source IP Hash.
    • IP Modulo—The firewall takes into consideration the source and destination IP address from the incoming packet; the firewall performs an XOR operation and a modulo operation; the result determines to which IP address the firewall assigns new sessions.
    • IP Hash—Assigns new sessions using a hash of the source and destination IP addresses.
    • Least Sessions—Assigns new sessions to the IP address that has the fewest concurrent sessions. If you have many short-lived sessions, Least Sessions provides you with a more balanced distribution of sessions.
    Enable DNS Rewrite
    If the destination NAT policy rule type is ipv4 and the destination address translation type is Static IP, the Enable DNS Rewrite option is available. You can enable DNS rewrite if you use destination NAT and also use DNS services on one side of the firewall to resolve FQDNs for a client on the other side of the firewall. When the DNS response traverses the firewall, the firewall rewrites the IP address in the DNS response, relative to the original destination address or translated destination address that the DNS response matches in the NAT policy rule. A single NAT policy rule has the firewall perform NAT on packets that match the rule and perform NAT on IP addresses in DNS responses that match the rule. You must specify how the firewall performs NAT on an IP address in a DNS response relative to the NAT rule—reverse or forward:
    • reverse—(default) If the packet is a DNS response that matches the translated destination address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
    • forward—If the packet is a DNS response that matches the original destination address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
    Match NAT Rule Source
    (PAN-OS Release 12.1.2 and later 12.1 releases)
    When you Enable DNS Rewrite, you can enable Match NAT Rule Source to make the DNS rewrite action for this rule conditional. The firewall translates the destination IPv4 address in a DNS response only if the DNS client's IP address and security zone (identified in the DNS session) match the source IP address and source zone that you specified for the Original Packet in this rule. Thus, you limit the DNS rewrite in this rule to occur only for specific DNS clients.
    Exclude From Zone
    (PAN-OS Release 12.1.2 and later 12.1 releases)
    When you Enable DNS Rewrite, you can make the DNS rewrite action for this rule conditional; Add one or more source zones to exclude from the DNS rewrite action in this rule.
    Exclude Source Address
    (PAN-OS Release 12.1.2 and later 12.1 releases)
    When you Enable DNS Rewrite, you can make the DNS rewrite action for this rule conditional. Add one or more source address objects or address groups or add a New Address to enter a source IP address to exclude from the DNS rewrite action in this rule, as follows:
    • Name of the IPv4 address.
    • Description of the IP address.
    • Type of address:
      • IP Netmask—Enter an IPv4 address or a network using the slash notation; for example 192.168.80.150 or 192.168.80.0/24. You can also enter an IPv6 address or an IPv6 address with its prefix; for example, 2001.db8:123::1 or 2001:db8:123::/64. You can exclude an IPv6 address even though DNS rewrite supports only IPv4 (because the client's underlying network may be IPv6 but the DNS client is requesting an A record [IPv4 address]).
      • IP Range—Enter an IPv4 address range (for example, 10.0.0.1-10.0.0.4) or an IPv6 address range (for example, 2001:db8:123:1::1-2001:db8:123:1::11).
      Exclude Source Address doesn't support the address types FQDN or IP Wildcard Mask.
    • Tags—Select one or more tags to add to the address.

    © 2025 Palo Alto Networks, Inc. All rights reserved.