Destination NAT

Learn more about the Prisma SD-WAN destination NAT use case.
Prisma SD-WAN destination NAT securely permits inbound connections from the internet to access internal private IP resources at a branch site location.
One of the use cases involves physical security monitoring services that require direct inbound connections from the internet and outbound connections from the local device, often implemented with a dedicated 1:1 NAT configuration.
In this example, the external system Host 1 needs to communicate with Server 1 in the branch location across the internet. For Host 1, the IP address for the branch service is and port 443.
A new flow source from Host 1 with a source address of and a destination address of
The packet arrives at the ION device's internet interface. It performs the policy lookup and the traffic on the LAN path.
Place the packet onto the LAN segment and match it against the recently created NAT Policy Rule.
This rule contains the following configuration:
  • Source Zone Rule: NAT Zone Internet
    The NAT Zone Internet is bound to the interface.
  • Match Criteria:
    • Protocol: TCP
    • Source Prefix: Any
    • Source Port Range: Any: Any
    • Destination Prefix: Internet-Services-Prefix
      This a local prefix filter, and the entry for this site is
    • Destination Port Range: 443:443 (leave blank if all ports are allowed)
      The ION device sends GARP messages and responds to ARP requests for
  • Action: Destination NAT
  • NAT Pool: LAN-Services
The NAT Pool LAN-Services define as - on the branch ION device.
NAT Pools are defined in persisting ranges and can be configured through the NAT Policy UI or directly through the device-level interface configuration.
As the policy applies to the packet, the original destination address is, overwrites by the NAT Pool LAN-Services address. In this example the original packet (s) (d) Is rewritten to: (s) (d)
Traffic arrives on the LAN at the server hosting inbound services from the internet.
Sends the return traffic to the destination of
Traffic arrives at the ION device's LAN interface, where a translation table check is performed on the flow to ensure that there is an active connection.
Establish the traffic onto the LAN segment, the source IP address is rewritten from to
If traffic that originates from Server 1 ( also needs to be translated to and a corresponding Source NAT Rule is configured.

Recommended For You