Virtual Wire Source NAT Example
Virtual wire deployment of a Palo Alto Networks firewall includes the benefit of providing security transparently to the end devices. It is possible to configure NAT for interfaces configured in a virtual wire. All of the NAT types are allowed: source NAT (Dynamic IP, Dynamic IP and Port, static) and destination NAT.
Because interfaces in a virtual wire do not have an IP address assigned, it is not possible to translate an IP address to an interface IP address. You must configure an IP address pool.
When performing NAT on virtual wire interfaces, it is recommended that you translate the source address to a different subnet than the one on which the neighboring devices are communicating. The firewall will not proxy ARP for NAT addresses. Proper routing must be configured on the upstream and downstream routers in order for the packets to be translated in virtual wire mode. Neighboring devices will only be able to resolve ARP requests for IP addresses that reside on the interface of the device on the other end of the virtual wire. See Proxy ARP for NAT Address Pools for more explanation about proxy ARP.
In the source NAT example below, security policies (not shown) are configured from the virtual wire zone named vw-trust to the zone named vw-untrust.
In the following topology, two routers are configured to provide connectivity between subnets 192.0.2.0/24 and 172.16.1.0/24. The link between the routers is configured in subnet 198.51.100.0/30. Static routing is configured on both routers to establish connectivity between the networks. Before the firewall is deployed in the environment, the topology and the routing table for each router look like this:
Route on R1:
Route on R2:
Now the firewall is deployed in virtual wire mode between the two Layer 3 devices. A NAT IP address pool with range 198.51.100.9 to 198.51.100.14 is configured on the firewall. All communications from clients in subnet 192.0.2.0/24 accessing servers in network 172.16.1.0/24 will arrive at R2 with a translated source address in the range 198.51.100.9 to 198.51.100.14. The response from servers will be directed to these addresses.
In order for source NAT to work, you must configure proper routing on R2, so that packets destined for other addresses are not dropped. The routing table below shows the modified routing table on R2; the route ensures traffic to the destinations 198.51.100.9-198.51.100.14 (that is, hosts on subnet 198.51.100.8/29) will be sent back through the firewall to R1.
Route on R2:
Virtual Wire Destination NAT Example
Virtual Wire Destination NAT Example Clients in the Untrust zone access the server using the IP address 198.51.100.100, which the firewall translates to 192.0.2.100. Both ...
Virtual Wire Static NAT Example
Virtual Wire Static NAT Example In this example, security policies are configured from the virtual wire zone named Trust to the virtual wire zone named ...
NAT Configuration Examples
NAT Configuration Examples Destination NAT Example—One-to-One Mapping Destination NAT with Port Translation Example Destination NAT Example—One-to-Many Mapping Source and Destination NAT Example Virtual Wire Source ...
Policies > NAT
Policies > NAT If you define Layer 3 interfaces on the firewall, you can configure a Network Address Translation (NAT) policy to specify whether source ...
NAT This section describes Network Address Translation (NAT) and how to configure the firewall for NAT. NAT allows you to translate private, non-routable IPv4 addresses ...
Proxy ARP for NAT Address Pools
Proxy ARP for NAT Address Pools NAT address pools are not bound to any interfaces. The following figure illustrates the behavior of the firewall when ...
Sample Configuration File
Sample Configuration File To help you get started, the GitHub repository contains a sample configuration file named appgw-sample.xml that includes the following rules/objects: Address objects ...
Destination Service Route
Destination Service Route Device > Setup > Services > Global On the Global tab, when you click on Service Route Configuration and then Customize , ...
Deployments Supported on OCI
Deployments Supported on OCI Use the VM-Series firewall on OCI to secure your cloud environment in the following scenarios: North-South Traffic—You can use the VM-Series ...