The most common mistakes when configuring NAT and security rules are the references to the zones and address objects. The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address).
The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the route lookup of the post-NAT destination IP address.
In this example, the web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 22.214.171.124 and TCP Port 80. The destination NAT rule is configured to translate both IP address and port to 10.1.1.100 and TCP port 8080. Address objects are configured for webserver-private (10.1.1.100) and Servers-public (126.96.36.199).
Virtual wire deployment of a Palo Alto Networks firewall includes the benefit of providing security transparently to the end devices. It is possible to configure NAT for interfaces configured in a virtual wire. All of the NAT types are allowed: source NAT (Dynamic IP, Dynamic IP and Port, static) and destination NAT.
When performing NAT on virtual wire interfaces, it is recommended that you translate the source address to a different subnet than the one on which the neighboring devices are communicating. The firewall will not proxy ARP for NAT addresses. Proper routing must be configured on the upstream and downstream routers in order for the packets to be translated in virtual wire mode. Neighboring devices will only be able to resolve ARP requests for IP addresses that reside on the interface of the device on the other end of the virtual wire. See
Proxy ARP for NAT Address Pools
for more explanation about proxy ARP.
In the following topology, two routers are configured to provide connectivity between subnets 188.8.131.52/24 and 184.108.40.206/24. The link between the routers is configured in subnet 220.127.116.11/30. Static routing is configured on both routers to establish connectivity between the networks. Before the firewall is deployed in the environment, the topology and the routing table for each router look like this:
Now the firewall is deployed in virtual wire mode between the two Layer 3 devices. All communications from clients in network 18.104.22.168/24 accessing servers in network 22.214.171.124/24 are translated to an IP address in the range 126.96.36.199-188.8.131.52. A NAT IP address pool with range 184.108.40.206-220.127.116.11 is configured on the firewall.
All connections from the clients in subnet 18.104.22.168/24 will arrive at router R2 with a translated source address in the range 22.214.171.124-126.96.36.199. The response from servers will be directed to these addresses. In order for source NAT to work, you must configure proper routing on router R2, so that packets destined for other addresses are not dropped. The routing table below shows the modified routing table on router R2. The route ensures the traffic to the destinations 188.8.131.52-184.108.40.206 (that is, hosts on subnet 220.127.116.11/29) will be sent back through the firewall to router R1.
In this example, security policies are configured from the virtual wire zone named Trust to the virtual wire zone named Untrust. Host 18.104.22.168 is statically translated to address 22.214.171.124. With the
option enabled, the firewall generates a NAT policy from the Untrust zone to the Trust zone. Clients on the Untrust zone access the server using the IP address 126.96.36.199, which the firewall translates to 188.8.131.52. Any connections initiated by the server at 184.108.40.206 are translated to source IP address 220.127.116.11.