1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Networking
    5. NAT
    6. NAT Policy Rules
    7. NAT Policy Overview

    NAT Policy Overview

    You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching criteria based on the packet’s destination interface, source and destination address, and service. You can configure multiple NAT rules. The firewall evaluates the rules in order from the top down. Once a packet matches the criteria of a single NAT rule, the packet is not subjected to additional NAT rules. Therefore, your list of NAT rules should be in order from most specific to least specific so that packets are subjected to the most specific rule you created for them.
    Static NAT rules do not have precedence over other forms of NAT. Therefore, for static NAT to work, the static NAT rules must be above all other NAT rules in the list on the firewall.
    NAT rules provide address translation, and are different from security policy rules, which allow or deny packets. It is important to understand the firewall’s flow logic when it applies NAT rules and security policy rules so that you can determine what rules you need, based on the zones you have defined. You must configure security policy rules to allow the NAT traffic.
    Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers.
    Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address.
    Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone.
    A SIP call sometimes experiences one-way audio when going through the firewall because the call manager sends a SIP message on behalf of the phone to set up the connection. When the message from the call manager reaches the firewall, the SIP ALG must put the IP address of the phone through NAT. If the call manager and the phones are not in the same security zone, the NAT lookup of the IP address of the phone is done using the call manager zone. The NAT policy should take this into consideration.
    No-NAT rules are configured to allow exclusion of IP addresses defined within the range of NAT rules defined later in the NAT policy. To define a no-NAT policy, specify all of the match criteria and select No Source Translation in the source translation column.
    You can verify the NAT rules processed by using the CLI
    test nat-policy-match
     command in operational mode. For example:
    user@device1> 
    test nat-policy-match
?
     
+ destination  Destination IP address 
+ destination-port  Destination port 
+ from  From zone 
+ ha-device-id  HA Active/Active device ID 
+ protocol  IP protocol value 
+ source  Source IP address 
+ source-port  Source port 
+ to  To Zone 
+ to-interface  Egress interface to use 
  |  Pipe through a command 
<Enter>  Finish input 
user@device1> 
    test nat-policy-match from l3-untrust source
10.1.1.1 destination 66.151.149.20 destination-port 443 protocol
6
     
Destination-NAT: Rule matched: CA2-DEMO 
66.151.149.20:443 => 192.168.100.15:443

    Related Documentation

    Policies > NAT

    Policies > NAT If you define Layer 3 interfaces on the firewall, you can configure a Network Address Translation (NAT) policy to specify whether source ...

    Source and Destination NAT Example

    Source and Destination NAT Example In this example, NAT rules translate both the source and destination IP address of packets between the clients and the ...

    Disable NAT for a Specific Host or Interface

    Disable NAT for a Specific Host or Interface Both source NAT and destination NAT rules can be configured to disable address translation. You may have ...

    Destination NAT Example—One-to-One Mapping

    Destination NAT Example—One-to-One Mapping The most common mistakes when configuring NAT and security rules are the references to the zones and address objects. The addresses ...

    NAT

    NAT This section describes Network Address Translation (NAT) and how to configure the firewall for NAT. NAT allows you to translate private, non-routable IPv4 addresses ...

    Configure NAT

    Configure NAT Perform the following tasks to configure various aspects of NAT. In addition to the examples below, there are examples in the section NAT ...

    NAT Active/Active HA Binding Tab

    NAT Active/Active HA Binding Tab Policies > NAT > Active/Active HA Binding The Active/Active HA Binding tab is available only if the firewall is in ...

    Use Case: Configure Separate Source NAT IP Address Pools fo...

    Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls If you want to use IP address pools for source NAT in ...

    NAT in Active/Active HA Mode

    NAT in Active/Active HA Mode In an active/active HA configuration: You must bind each Dynamic IP (DIP) NAT rule and Dynamic IP and Port (DIPP) ...

    Source NAT and Destination NAT

    Source NAT and Destination NAT The firewall supports both source address and/or port translation and destination address and/or port translation. Source NAT Destination NAT ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo