Table of Contents

Destination NAT

Destination NAT is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates a public destination address to a private destination address. Destination NAT also offers the option to perform port forwarding or port translation.
Destination NAT allows static and dynamic translation:
  • Static IP
    —You can configure a one-to-one, static translation in several formats. You can specify that the original packet have a single destination IP address, a range of IP addresses, or an IP netmask, as long as the translated packet is in the same format and specifies the same number of IP addresses. The firewall statically translates an original destination address to the same translated destination address each time. That is, if there is more than one destination address, the firewall translates the first destination address configured for the original packet to the first destination address configured for the translated packet, and translates the second original destination address configured to the second translated destination address configured, and so on, always using the same translation.
    If you use destination NAT to translate a static IPv4 address, you might also use DNS services on one side of the firewall to resolve FQDNs for a client on the other side. When the DNS response containing the IPv4 address traverses the firewall, the DNS server provides an internal IP address to an external device, or vice versa. Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS response (that matches the rule) so that the client receives the appropriate address to reach the destination service. The applicable DNS rewrite use case determines how you configure such a rewrite.
  • Dynamic IP (with session distribution)
    —Destination NAT allows you to translate the original destination address to a destination host or server that has a dynamic IP address, meaning an address object that uses an FQDN, which can return multiple addresses from DNS. Dynamic IP (with session distribution) supports IPv4 addresses only. Destination NAT using a dynamic IP address is especially helpful in cloud deployments that use dynamic IP addressing.
    If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses to provide improved session distribution. Distribution is based on one of several methods: round-robin (the default method), source IP hash, IP modulo, IP hash, or least sessions. If a DNS server returns more than 32 IPv4 addresses for an FQDN, the firewall uses the first 32 addresses in the packet.
    If the translated address is an address object of type FQDN that resolves to only IPv6 addresses, the destination NAT policy rule considers the FQDN as unresolved.
    Dynamic IP (with session distribution)
    allows you to translate multiple pre-NAT destination IP addresses M to multiple post-NAT destination IP addresses N. A many-to-many translation means there can be M x N destination NAT translations using a single NAT rule.
For destination NAT, the best practice is to:
  • Use
    Static IP
    address translation for static IP addresses, which allows the firewall to check and ensure that the number of original destination IP addresses equals the number of translated destination IP addresses.
  • Use
    Dynamic IP (with session distribution)
    address translation only for FQDN-based dynamic addresses (the firewall does not perform an IP address number check).
The following are common examples of destination NAT translations that the firewall allows:
Translation Type
Original Packet’s Destination Address
Maps to Translated Packet’s Destination Address
Static IP
Original packet and translated packet each have one possible destination address.
Original packet and translated packet each have four possible destination addresses: always maps to always maps to always maps to always maps to
Original packet and translated packet each have four possible destination addresses: always maps to always maps to always maps to always maps to
Dynamic IP (with session distribution)
Original packet has four destination addresses and if, for example, the FQDN in the translated destination address resolves to five IP addresses, then there are 20 possible destination NAT translations in a single NAT rule.
One common use for destination NAT is to configure several NAT rules that map a single public destination address to several private destination host addresses assigned to servers or services. In this case, the destination port numbers are used to identify the destination hosts. For example:
  • Port Forwarding
    —Can translate a public destination address and port number to a private destination address but keeps the same port number.
  • Port Translation
    —Can translate a public destination address and port number to a private destination address and a different port number, thus keeping the actual port number private. The port translation is configured by entering a
    Translated Port
    on the
    Translated Packet
    tab in the NAT policy rule. See the Destination NAT with Port Translation Example.

Recommended For You