Destination NAT
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Destination NAT
Destination NAT is performed on incoming packets when
the firewall translates a destination address to a different destination
address; for example, it translates a public destination address
to a private destination address. Destination NAT also offers the
option to perform port forwarding or port translation.
Destination NAT allows static and dynamic translation:
- Static IP—You can configure a one-to-one, static translation in several formats. You can specify that the original packet have a single destination IP address, a range of IP addresses, or an IP netmask, as long as the translated packet is in the same format and specifies the same number of IP addresses. The firewall statically translates an original destination address to the same translated destination address each time. That is, if there is more than one destination address, the firewall translates the first destination address configured for the original packet to the first destination address configured for the translated packet, and translates the second original destination address configured to the second translated destination address configured, and so on, always using the same translation.If you use destination NAT to translate a static IPv4 address, you might also use DNS services on one side of the firewall to resolve FQDNs for a client on the other side. When the DNS response containing the IPv4 address traverses the firewall, the DNS server provides an internal IP address to an external device, or vice versa. Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS response (that matches the rule) so that the client receives the appropriate address to reach the destination service. The applicable DNS rewrite use case determines how you configure such a rewrite.
- Dynamic IP (with session distribution)—Destination NAT allows you to translate the original destination address to a destination host or server that has a dynamic IP address, meaning an address object that uses an FQDN, which can return multiple addresses from DNS. Dynamic IP (with session distribution) supports IPv4 addresses only. Destination NAT using a dynamic IP address is especially helpful in cloud deployments that use dynamic IP addressing.If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses to provide improved session distribution. Distribution is based on one of several methods: round-robin (the default method), source IP hash, IP modulo, IP hash, or least sessions. If a DNS server returns more than 32 IPv4 addresses for an FQDN, the firewall uses the first 32 addresses in the packet.If the translated address is an address object of type FQDN that resolves to only IPv6 addresses, the destination NAT policy rule considers the FQDN as unresolved.
For destination NAT, the best practice
is to:
- UseStatic IPaddress translation for static IP addresses, which allows the firewall to check and ensure that the number of original destination IP addresses equals the number of translated destination IP addresses.
- UseDynamic IP (with session distribution)address translation only for FQDN-based dynamic addresses (the firewall does not perform an IP address number check).
The following are common examples of destination NAT translations
that the firewall allows:
Translation Type | Original Packet’s Destination Address | Maps to Translated Packet’s Destination Address | Notes |
|---|---|---|---|
Static IP | 192.168.1.1 | 2.2.2.2 | Original packet and translated packet each
have one possible destination address. |
192.168.1.1-192.168.1.4 | 2.2.2.1-2.2.2.4 | Original packet and translated packet each
have four possible destination addresses: 192.168.1.1 always
maps to 2.2.2.1 192.168.1.2 always maps to 2.2.2.2 192.168.1.3
always maps to 2.2.2.3 192.168.1.4 always maps to 2.2.2.4 | |
192.168.1.1/30 | 2.2.2.1/30 | Original packet and translated packet each
have four possible destination addresses: 192.168.1.1 always
maps to 2.2.2.1 192.168.1.2 always maps to 2.2.2.2 192.168.1.3
always maps to 2.2.2.3 192.168.1.4 always maps to 2.2.2.4 | |
Dynamic IP (with session distribution) | 192.168.1.1/30 | domainname.com | Original packet has four destination addresses
and if, for example, the FQDN in the translated destination address resolves
to five IP addresses, then there are 20 possible destination NAT
translations in a single NAT rule. |
One common use for destination NAT is to configure several NAT
rules that map a single public destination address to several private
destination host addresses assigned to servers or services. In this
case, the destination port numbers are used to identify the destination
hosts. For example:
- Port Forwarding—Can translate a public destination address and port number to a private destination address but keeps the same port number.
- Port Translation—Can translate a public destination address and port number to a private destination address and a different port number, thus keeping the actual port number private. The port translation is configured by entering aTranslated Porton theTranslated Packettab in the NAT policy rule. See the Destination NAT with Port Translation Example.