Default Source NAT

Learn more about the Prisma SD-WAN’s default source NAT.
By default, Prisma SD-WAN provides an out-of-the-box configuration that automatically performs Source NAT on traffic destined directly to public internet interfaces.
Fields
Description
1
A new flow source is from Host PC1 with a source address of 10.10.10.10 and a destination address of 60.60.60.60.
2
A packet arrives at the ION device’s LAN Interface. A policy lookup and a path selection decision perform to put the traffic on the link to ISP A.
3
Place the packet onto the internet segment; the Default-NATPolicySet matches against the Default-InternetRule.
This rule contains the following configuration:
  • Destination Zone Rule: NAT Zone Internet
  • Match Criteria: any protocol, any prefix, any port
  • Action: Source NAT
In this rule:
  • The NAT Pool is blank by default, and the system uses the IP Address bound to the internet interface.
  • The ION device will ARP for IP addresses where the NAT Pool intersects with the configured interface subnet on the ION device.
Apply the packet's policy; the source address of 10.10.10.10 overwrites by the address bound to the Internet Interface (50.50.50.1). The source port changes to a random port during this operation.
In this example the original packet: (s) 10.10.10.10:12345: (d) 60.60.60.60:443. Is rewritten to: (s) 50.50.50.1:54321: (d) 60.60.60.60:443.
4
Traffic arrives at the internet-based SaaS application.
5
Traffic returns to the destination of 50.50.50.1:54321.
6
Traffic arrives at the ION device's internet interface, where a translation table check is performed on the flow to ensure that there is an active connection.
7
Establish the traffic onto the LAN segment; the destination IP address returns from 50.50.50.1:54321 to 10.10.10.10:12345.

Recommended For You