Destination NAT

Learn more about the Prisma SD-WAN destination NAT use case.
Prisma SD-WAN destination NAT securely permits inbound connections from the internet to access internal private IP resources at a branch site location.
One of the use cases involves physical security monitoring services that require direct inbound connections from the internet and outbound connections from the local device, often implemented with a dedicated 1:1 NAT configuration.
In this example, the external system Host 1 needs to communicate with Server 1 in the branch location across the internet. For Host 1, the IP address for the branch service is 50.50.50.2 and port 443.
Fields
Description
1
A new flow source from Host 1 with a source address of 70.70.70.70 and a destination address of 50.50.50.2.
2
The packet arrives at the ION device's internet interface. It performs the policy lookup and the traffic on the LAN path.
3
Place the packet onto the LAN segment and match it against the recently created NAT Policy Rule.
This rule contains the following configuration:
  • Source Zone Rule: NAT Zone Internet
    The NAT Zone Internet is bound to the interface.
  • Match Criteria:
    • Protocol: TCP
    • Source Prefix: Any
    • Source Port Range: Any: Any
    • Destination Prefix: Internet-Services-Prefix
      This a local prefix filter, and the entry for this site is 50.50.50.2/32
    • Destination Port Range: 443:443 (leave blank if all ports are allowed)
      The ION device sends GARP messages and responds to ARP requests for 50.50.50.2.
  • Action: Destination NAT
  • NAT Pool: LAN-Services
The NAT Pool LAN-Services define as 10.10.10.20 - 10.10.10.20 on the branch ION device.
NAT Pools are defined in persisting ranges and can be configured through the NAT Policy UI or directly through the device-level interface configuration.
As the policy applies to the packet, the original destination address is 50.50.50.2, overwrites by the NAT Pool LAN-Services address. In this example the original packet (s) 70.70.70.70:12345: (d) 50.50.50.2:443. Is rewritten to: (s) 70.70.70.70:12345: (d) 10.10.10.20:443.
4
Traffic arrives on the LAN at the server hosting inbound services from the internet.
5
Sends the return traffic to the destination of 70.70.70.70:12345.
6
Traffic arrives at the ION device's LAN interface, where a translation table check is performed on the flow to ensure that there is an active connection.
7
Establish the traffic onto the LAN segment, the source IP address is rewritten from 10.10.10.10:443 to 50.50.50.2:443.
If traffic that originates from Server 1 (10.10.10.20) also needs to be translated to 50.50.50.2 and a corresponding Source NAT Rule is configured.

Recommended For You