NAT Translated Packet Tab

  • Policy > NAT > Translated Packet
Select the
Translated Packet
tab to determine, for Source Address Translation, the type of translation to perform on the source, and the address and possibly the port to which the source is translated.
You can also enable Destination Address Translation for an internal host to make it accessible by a public IP address. In this case, you define a public source address and destination address in the
Original Packet
tab for an internal host and, on the
Translated Packet
tab, you configure Destination Address Translation by selecting
Static IP
Dynamic IP (with session distribution)
and entering the
Translated Address
. Then, when the public address is accessed, it will be translated to the internal (destination) address of the internal host.
NAT Rule - Translated Packet Settings
Source Address Translation
Select the
Translation Type
(dynamic or static address pool) and enter an IP address or address range (address1—address2) to which the source address is translated (
Translated Address
). The size of the address range is limited by the type of address pool:
  • Dynamic IP and Port
    —Address selection is based on a hash of the source IP address. For a given source IP address, the firewall uses the same translated source address for all sessions. Dynamic IP and Port (DIPP) source NAT supports approximately 64,000 concurrent sessions on each IP address in the NAT pool. Some models support oversubscription, which allows a single IP to host more than 64,000 concurrent sessions.
    Palo Alto Networks® DIPP NAT supports more NAT sessions than are supported by the number of available IP addresses and ports. With oversubscription, the firewall can use IP address and port combinations two times simultaneously on PA-200, PA-220, PA-500 Series firewalls, four times simultaneously on PA-5020 and the PA-3200 Series, and eight times simultaneously on PA-5050 and PA-5060 firewalls, when destination IP addresses are unique.
  • Dynamic IP
    —Translates to the next available address in the specified range but the port number remains unchanged. Up to 32,000 consecutive IP addresses are supported. A dynamic IP pool can contain multiple subnets, so you can translate your internal network addresses to two or more separate public subnets.
  • Advanced (Dynamic IP/Port Fallback)
    —Use this option to create a fallback pool that performs IP and port translation and is used if the primary pool runs out of addresses. You can define addresses for the pool by using the Translated Address option or the Interface Address option; the latter option is for interfaces that receive an IP address dynamically. When creating a fallback pool, make sure addresses do not overlap with addresses in the primary pool.
  • Static IP
    —The same address is always used for the translation and the port is unchanged. For example, if the source range is— and the translation range is—, address is always translated to The address range is virtually unlimited.
    You must use
    Static IP
    translation for NPTv6 Source Address Translation. For NPTv6, the prefixes configured for
    Translated Address
    must be in the format xxxx:xxxx::/yy and the address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.
  • None
    —Translation is not performed.
) Enable bidirectional translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure.
If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.
Destination Address Translation
Configure the following options to have the firewall perform destination NAT. You typically use Destination NAT to allow an internal server, such as an email server, to be accessible from the public network.
Translation Type and Translated Address
Select the type of translation the firewall performs on the destination address:
  • None
  • Static IP
    —Enter a
    Translated Address
    as an IP address or range of IP addresses and a
    Translated Port
    number (1—65535) to which the original destination address and port number are translated. If the
    Translated Port
    field is blank, the destination port is not changed.
    For NPTv6, the prefixes configured for the Destination prefix
    Translated Address
    must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.
    Translated Port is not supported for NPTv6 because NPTv6 is strictly prefix translation. The Port and Host address section is simply forwarded unchanged.
  • Dynamic IP (with session distribution)
    —Select or enter a
    Translated Address
    that is an address group; an address object of type FQDN, IP address range, or IP mask; or an IP address range from which the firewall selects the translated address. If the address object or address group translates to more than one IP address, the firewall distributes sessions among those addresses using the specified
    Session Distribution Method
Session Distribution Method
The session distribution method is
. This option applies to the
Dynamic IP (with session distribution)
translation type. If the destination translated address is an FQDN, address object, or address group that resolves to more than one post-NAT destination address, the firewall automatically distributes sessions among those addresses (based on a round-robin algorithm) to provide more even session loading.

Recommended For You