If you define Layer 3 interfaces on the firewall, you can configure a Network Address Translation (NAT) policy to specify whether source or destination IP addresses and ports are converted between public and private addresses and ports. For example, private source addresses can be translated to public addresses on traffic sent from an internal (trusted) zone to a public (untrusted) zone. NAT is also supported on virtual wire interfaces.
NAT rules are based on source and destination zones, source and destination addresses, and application service (such as HTTP). Like security policies, NAT policy rules are compared against incoming traffic in sequence, and the first rule that matches the traffic is applied.
As needed, add static routes to the local router so that traffic to all public addresses is routed to the firewall. You may also need to add static routes to the receiving interface on the firewall to route traffic back to the private address.
The following tables describe the NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings:
Looking for more?
See NAT .
NAT General Tab
Select the General tab to configure a name and description for the NAT or NPTv6 policy. You can configure a tag to allow you to sort or filter policies when many policies exist. Select the type of NAT policy you are creating, which affects which fields are available on the Original Packet and Translated Packet tabs.
NAT Rules - General Setting Description
Name Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Description Enter a description for the rule (up to 255 characters).
Tag If you want to tag the policy, click Add to specify the tag. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword.
NAT Type Specify the type of translation: ipv4 —translation between IPv4 addresses. nat64 —translation between IPv6 and IPv4 addresses. nptv6 —translation between IPv6 prefixes. You cannot combine IPv4 and IPv6 address ranges in a single NAT rule.
NAT Original Packet Tab
Select the Original Packet tab to define the source and destination zones of packets that the firewall will translate and, optionally, specify the destination interface and type of service. You can configure multiple source and destination zones of the same type and you can apply the rule to specific networks or specific IP addresses.
NAT Rules - Original Packet Setting Description
Source Zone Destination Zone Select one or more source and destination zones for the original (non-NAT) packet (default is Any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. You can specify multiple zones to simplify management. For example, you can configure settings so that multiple internal NAT addresses are directed to the same external IP address.
Destination Interface Specify the destination interface of packets the firewall translates. You can use the destination interface to translate IP addresses differently in the case where the network is connected to two ISPs with different IP address pools.
Service Specify the service for which the firewall translates the source or destination address. To define a new service group, select Objects > Service Groups.
Source AddressDestination Address Specify a combination of source and destination addresses for the firewall to translate. For NPTv6, the prefixes configured for Source Address and Destination Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.
NAT Translated Packet Tab
Select the Translated Packet tab to determine, for Source Address Translation, the type of translation to perform on the source, and the address and/or port to which the source will be translated.
You can also enable Destination Address Translation for an internal host that needs to be accessed by a public IP address. In this case, you define a source address (public) and destination address (private) in the Original Packet tab for an internal host, and in the Translated Packet tab you enable Destination Address Translation and enter the Translated Address. When the public address is accessed, it will be translated to the internal (destination) address of the internal host.
NAT Rules - Translated Packet Setting Description
Source Address Translation Select the Translation Type (dynamic or static address pool), and enter an IP address or address range (address1-address2) that the source address is translated to ( Translated Address). The size of the address range is limited by the type of address pool: Dynamic IP And Port —Address selection is based on a hash of the source IP address. For a given source IP address, the firewall will use the same translated source address for all sessions. Dynamic IP and Port source NAT supports approximately 64k concurrent sessions on each IP address in the NAT pool. On some platforms, over-subscription is supported, which will allow a single IP to host more than 64k concurrent sessions. Palo Alto Networks Dynamic IP/port NAT supports more NAT sessions than are supported by the number of available IP addresses and ports. The firewall can use IP address and port combinations up to two times (simultaneously) on the PA-200, PA-500, PA-2000 Series and PA-3000 Series firewalls, four times on the PA-4020 and PA-5020 firewalls, and eight times on the PA-4050, PA-4060, PA-5050, and PA-5060 firewalls when destination IP addresses are unique. Dynamic IP —The next available address in the specified range is used, but the port number is unchanged. Up to 32k consecutive IP addresses are supported. A dynamic IP pool can contain multiple subnets, so you can translate your internal network addresses to two or more separate public subnets. Advanced (Dynamic IP/Port Fallback) —Use this option to create a fall back pool that will perform IP and port translation and will be used if the primary pool runs out of addresses. You can define addresses for the pool by using the Translated Address option or the Interface Address option, which is for interfaces that receive an IP address dynamically. When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool. Static IP —The same address is always used for the translation and the port is unchanged. For example, if the source range is 192.168.0.1-192.168.0.10 and the translation range is 10.0.0.1-10.0.0.10, address 192.168.0.2 is always translated to 10.0.0.2. The address range is virtually unlimited. NPTv6 must use Static IP translation for Source Address Translation. For NPTv6, the prefixes configured for Translated Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64. None —Translation is not performed.
Bi-directional (Optional) Enable bidirectional translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure. If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.
Destination Address Translation Enter an IP address or range of IP addresses and a translated port number (1-65535) to which the destination address and port number are translated. If the Translated Port field is blank, the destination port is not changed. Destination translation is typically used to allow an internal server, such as an email server, to be accessed from the public network. For NPTv6, the prefixes configured for Destination prefix Translated Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64. Note that Translated Port is not supported for NPTv6 because NPTv6 is strictly prefix translation. The Port and Host address section is simply forwarded unchanged.
NAT Active/Active HA Binding Tab
The Active/Active HA Binding tab is available only if the firewall is in a high availability (HA) active/active configuration. In this configuration, you must bind each source NAT rule (whether static or dynamic NAT) to Device ID 0 or Device ID 1. You typically configure device-specific NAT rules when the two HA peers have unique NAT IP address pools.
When the firewall creates a new session, the HA binding determines which NAT rules the session can match. The binding must include the session owner for the rule to match. The session setup firewall performs the NAT rule matching but the session is compared to NAT rules that are bound to the session owner and translated according to one of the rules. For device-specific rules, the firewall skips all NAT rules that are not bound to the session owner. For example, suppose the firewall with Device ID 1 is the session owner and the session setup firewall. When Device ID 1 attempts to match a session to a NAT rule, it ignores all rules bound to Device ID 0.
If one peer fails, the second peer continues to process traffic for the synchronized sessions from the failed peer, including NAT translations. Palo Alto Networks recommends you create a duplicate NAT rule that is bound to the second Device ID. Therefore, there are two NAT rules with the same source translation addresses and the same destination translation addresses, one rule bound to each Device ID. Such a configuration allows the current HA peer to perform new session setup and perform NAT rule matching for NAT rules that are bound to its Device ID. Without a duplicate NAT rule, the functioning peer will try to perform the NAT policy match, but the session won’t match the firewall’s own device-specific rules and the firewall skips all other NAT rules that are not bound to its Device ID.
You must bind each destination NAT rule to either Device ID 0, Device ID 1, both (Device ID 0 and Device ID 1), or the active- primary firewall.
Select an Active/Active HA Binding setting to bind the NAT rule to an HA firewall as follows:
0 —Binds the NAT rule to the firewall that has HA Device ID 0. 1 —Binds the NAT rule to the firewall that has HA Device ID 1. both —Binds the NAT rule to both the firewall that has HA Device ID 0 and the firewall that has HA Device ID 1. This setting does not support Dynamic IP or Dynamic IP and Port NAT. primary —Binds the NAT rule to the firewall that is in HA active-primary state. This setting does not support Dynamic IP or Dynamic IP and Port NAT.
Looking for more?

Related Documentation