NAT Translated Packet Tab
- Policy > NAT > Translated Packet
For Source Address Translation, select the
Translated Packettab to determine the type of translation to perform on the source, the address, and possibly the port to which the source is translated.
You can also enable Destination Address Translation for an internal host to make it accessible by a public IP address. In this case, you define a public source address and destination address in the
Original Packettab for an internal host and, on the
Translated Packettab, you configure
Dynamic IP (with session distribution)and enter the
Translated Address. Then, when the public address is accessed, it is translated to the internal (destination) address of the internal host.
NAT Rule - Translated Packet Settings
Source Address Translation
Translation Type(dynamic or static address pool) and enter an IP address or address range (address1—address2) to which the source address is translated (
Translated Address). The size of the address range is limited by the type of address pool:
Source Address Translation (cont)
Optional) Enable bidirectional translation for a
Static IPsource address translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure.
If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.
Destination Address Translation
Configure the following options to have the firewall perform destination NAT. You typically use Destination NAT to allow an internal server, such as an email server, to be accessible from the public network.
Translation Type and Translated Address
Select the type of translation the firewall performs on the destination address:
Session Distribution Method
If you select the destination NAT translation to be to
Dynamic IP (with session distribution), it’s possible that the destination translated address (to an FQDN, address object, or address group) can resolve to more than one address. You can choose how the firewall distributes (assigns) sessions among those addresses to provide more balanced session distribution:
Enable DNS Rewrite
In PAN-OS 9.0.2 and later 9.0 releases, if the destination NAT policy rule type is
ipv4and the destination address translation type is
Static IP, the
Enable DNS Rewriteoption is available. You can enable DNS rewrite if you use destination NAT and also use DNS services on one side of the firewall to resolve FQDNs for a client on the other side of the firewall. When the DNS response traverses the firewall, the firewall rewrites the IP address in the DNS response, relative to the original destination address or translated destination address that the DNS response matches in the NAT policy rule. A single NAT policy rule has the firewall perform NAT on packets that match the rule and perform NAT on IP addresses in DNS responses that match the rule. You must specify how the firewall performs NAT on an IP address in a DNS response relative to the NAT rule—reverse or forward: