End-of-Life (EoL)

NAT Translated Packet Tab

  • Policy > NAT > Translated Packet
Select the
Translated Packet
tab to determine, for Source Address Translation, the type of translation to perform on the source, and the address and/or port to which the source will be translated.
You can also enable Destination Address Translation for an internal host that needs to be accessed by a public IP address. In this case, you define a public source address and destination address in the
Original Packet
tab for an internal host, and in the
Translated Packet
tab you enable
Destination Address Translation
and enter the
Translated Address
. When the public address is accessed, it will be translated to the internal (destination) address of the internal host.
NAT Rule - Translated Packet Settings
Source Address Translation
Select the Translation Type (dynamic or static address pool), and enter an IP address or address range (address1-address2) that the source address is translated to (
Translated Address
). The size of the address range is limited by the type of address pool:
  • Dynamic IP And Port
    —Address selection is based on a hash of the source IP address. For a given source IP address, the firewall uses the same translated source address for all sessions. Dynamic IP and Port source NAT supports approximately 64,000 concurrent sessions on each IP address in the NAT pool. On some models, over-subscription is supported, which allows a single IP to host more than 64,000 concurrent sessions.
    Palo Alto Networks Dynamic IP/port NAT supports more NAT sessions than are supported by the number of available IP addresses and ports. The firewall can use IP address and port combinations up to two times (simultaneously) on the PA-200, PA-500, and PA-3000 Series firewalls, four times on the PA-5020 firewalls, and eight times on the PA-5050 and PA-5060 firewalls when destination IP addresses are unique.
  • Dynamic IP
    —The next available address in the specified range is used, but the port number is unchanged. Up to 32,000 consecutive IP addresses are supported. A dynamic IP pool can contain multiple subnets, so you can translate your internal network addresses to two or more separate public subnets.
  • Advanced (Dynamic IP/Port Fallback)
    —Use this option to create a fall back pool that will perform IP and port translation and will be used if the primary pool runs out of addresses. You can define addresses for the pool by using the Translated Address option or the Interface Address option, which is for interfaces that receive an IP address dynamically. When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.
  • Static IP
    —The same address is always used for the translation and the port is unchanged. For example, if the source range is and the translation range is, address is always translated to The address range is virtually unlimited.
    NPTv6 must use
    Static IP
    translation for Source Address Translation. For NPTv6, the prefixes configured for
    Translated Address
    must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.
  • None
    —Translation is not performed.
) Enable bidirectional translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure.
If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.
Destination Address Translation
Enter an IP address or range of IP addresses and a translated port number (1-65535) to which the destination address and port number are translated. If the
Translated Port
field is blank, the destination port is not changed. Destination translation is typically used to allow an internal server, such as an email server, to be accessed from the public network.
For NPTv6, the prefixes configured for Destination prefix
Translated Address
must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.
Translated Port is not supported for NPTv6 because NPTv6 is strictly prefix translation. The Port and Host address section is simply forwarded unchanged.

Recommended For You