NAT Translated Packet Tab
- Policy > NAT > Translated Packet
For Source Address Translation, select the Translated Packet tab to determine the type of translation to perform on the source, the address, and possibly the port to which the source is translated.
You can also enable Destination Address Translation for an internal host to make it accessible by a public IP address. In this case, you define a public source address and destination address in the Original Packet tab for an internal host and, on the Translated Packet tab, you configure Static IP or Dynamic IP (with session distribution) and enter the Translated Address. Then, when the public address is accessed, it is translated to the internal (destination) address of the internal host.
NAT Rule - Translated Packet Settings
Source Address Translation
Select the Translation Type (dynamic or static address pool) and enter an IP address or address range (address1—address2) to which the source address is translated (Translated Address). The size of the address range is limited by the type of address pool:
Source Address Translation (cont)
(Optional) Enable bidirectional translation for a Static IP source address translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure.
If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.
Destination Address Translation
Configure the following options to have the firewall perform destination NAT. You typically use Destination NAT to allow an internal server, such as an email server, to be accessible from the public network.
Translation Type and Translated Address
Select the type of translation the firewall performs on the destination address:
Session Distribution Method
If you select the destination NAT translation to be to Dynamic IP (with session distribution), it’s possible that the destination translated address (to an FQDN, address object, or address group) can resolve to more than one address. You can choose how the firewall distributes (assigns) sessions among those addresses to provide more balanced session distribution:
Enable DNS Rewrite
In PAN-OS 9.0.2 and later 9.0 releases, if the destination NAT policy rule type is ipv4 and the destination address translation type is Static IP, the Enable DNS Rewrite option is available. You can enable DNS rewrite if you use destination NAT and also use DNS services on one side of the firewall to resolve FQDNs for a client on the other side of the firewall. When the DNS response traverses the firewall, the firewall rewrites the IP address in the DNS response, relative to the original destination address or translated destination address that the DNS response matches in the NAT policy rule. A single NAT policy rule has the firewall perform NAT on packets that match the rule and perform NAT on IP addresses in DNS responses that match the rule. You must specify how the firewall performs NAT on an IP address in a DNS response relative to the NAT rule—reverse or forward:
Destination NAT Destination NAT is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates ...
Configure Destination NAT with DNS Rewrite
Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response based on the original or translated ...
DNS Rewrite for Destination NAT
Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response based on the NAT rule. ...
Source and Destination NAT Example
Source and Destination NAT Example In this example, NAT rules translate both the source and destination IP address of packets between the clients and the ...
NAT This section describes Network Address Translation (NAT) and how to configure the firewall for NAT. NAT allows you to translate private, non-routable IPv4 addresses ...
Destination NAT with DNS Rewrite Use Cases
The destination NAT topology with a DNS Server and the DNS response determine how you configure DNS Rewrite (in the reverse or forward direction). ...
Advanced Session Distribution Algorithms for Destination NAT
When a destination NAT address is a dynamic IP address that returns more than one address, select the method the firewall uses to distribute incoming ...
Configure NAT Perform the following tasks to configure various aspects of NAT. In addition to the examples below, there are examples in the section NAT ...
Configure Destination NAT Using Dynamic IP Addresses
Configure Destination NAT Using Dynamic IP Addresses You can use Destination NAT to translate the original destination address to a destination host or server that ...