Focus

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Configure Destination NAT with DNS Rewrite

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

When your public-facing servers have private IP addresses assigned on the network segment where they are physically located, you need a source NAT rule to translate the source address of the server to the external address upon egress. You create a static NAT rule to translate the internal source address, 10.1.1.11, to the external web server address, 203.0.113.11 in our example.

However, a public-facing server must be able to both send and receive packets. You need a reciprocal policy that translates the public address (the destination IP address in incoming packets from Internet users) into the private address so that the firewall can route the packet to your DMZ network. You create a bi-directional static NAT rule, as described in the following procedure. Bi-directional translation is an option for static NAT only.

Create an address object for the web server’s internal IP address.
1. Select ObjectsAddresses and Add a Name and optional Description for the object.
2. Select IP Netmask from the Type list and enter the IP address of the web server on the DMZ network, 10.1.1.11 in this example.
3. Click OK.
  
  If you did not already create an address object for the public address of your web server, you should create that object now.
Create the NAT policy.
1. Select PoliciesNAT and click Add.
2. On the General tab, enter a descriptive Name for the NAT rule.
3. On the Original Packet tab, select the zone you created for your DMZ in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone list.
4. In the Source Address section, Add the address object you created for your internal web server address.
5. On the Translated Packet tab, select Static IP from the Translation Type list in the Source Address Translation section and then select the address object you created for your external web server address from the Translated Address list.
6. In the Bi-directional field, select Yes.
7. Click OK.
Commit.
Click Commit.

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Configure Destination NAT with DNS Rewrite

Next-Generation Firewall Docs

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Next-Generation Firewall Docs

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner