Focus

Static NAT

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Administration
Deployment
Incidents & Alerts
CloudBlades
Version
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
Reference
Release Notes
Version
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades

Destination NAT

ALG Disable

Static NAT

Learn more about the Prisma SD-WAN static NAT.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Active Prisma SD-WAN license

Prisma SD-WAN provides scenarios that require a 1:1 mapping of a range of IP addresses to another range of IP addresses.

Scenarios include direct mapping of a publicly routable range of IP addresses to RFC 1918 addresses. For example, they translate 50.50.50.16-31 to 10.10.10.16-31 in a 1:1 manner where traffic would translate to 50.50.50.20 to 10.10.10.20 and vice versa across the entire IP range.

Another common scenario would be when IP prefix overlap occurs due to a company merger. In this situation, it would also translate the IP addresses bound to the hosts in a 1:1 manner from one RFC 1918 range to another RFC 1918m range.

In this example, application requirements specify that each internal server must have a unique internet IP address. Each server must initiate connections on ephemeral ports and receive inbound links on the same persistent IP address on port 443. To enable this most efficiently, use static source NAT and static destination NAT.

Case: Inbound connection from the Internet

Fields	Description
1	A new flow source from Host 1 with a source address of 70.70.70.70 and a destination address of 50.50.50.20.
2	A packet arrives at the ION device's internet interface. Perform a policy lookup and the traffic on the LAN segment.
3	Place the packet onto the LAN segment; it matches against the recently created NAT Policy Rule. This rule contains the following configuration: Source Zone Rule: NAT Zone Internet The NAT Zone internet is bound to the interface. Match Criteria: Protocol: TCP (leave blank for any protocol) Source Prefix: Any Source Port Range: Any: Any (blank) Destination Prefix: Internet-Services This is a local prefix filter, and the entry for this site is 50.50.50.16/28 Destination Port Range: 443:443 (leave blank if all ports are allowed) The ION device sends GARP messages and responds to ARP requests for 50.50.50.2. Action: Static Destination NAT NAT Pool: LAN-Services The NAT Pool LAN-Services is defined as 10.10.10.16 - 10.10.10.31 on the branch ION device. It can be configured through the NAT Policy UI or directly on the interface configuration of the device. NAT Pools are in contiguous ranges. As the policy applies to the packet, the original destination address of 50.50.50.20 overwrites by the address defined in the NAT Pool LAN-Services. In this example the original packet: (s) 70.70.70.70:12345: (d) 50.50.50.20:443. Is rewritten to: (s) 70.70.70.70:12345: (d) 10.10.10.20:443.
4	Traffic arrives on the LAN at the server hosting inbound services from the internet.
5	Sends the return traffic to the destination of 70.70.70.70:12345.
6	Traffic arrives at the ION device's LAN interface, where a translation table check is performed on the flow to ensure that there is an active connection.
7	Establish the traffic onto the LAN segment, the source IP address is rewritten from 10.10.10.10:443 to 50.50.50.2:443.

Case: Outbound Connection from the Local Server to an Internet Service

Fields	Description
5	A new flow source from Server 1 with a source address of 10.10.10.20 and a destination address of 70.70.70.80.
6	A packet arrives at the ION device's internet interface. Perform a policy lookup and the traffic on the LAN segment.
7	Place the packet onto the internet segment; it matches against the recently created NAT Policy Rule. This rule contains the following configuration: Destination Zone Rule: NAT Zone Internet The NAT Zone internet is bound to the interface. Match Criteria: Protocol: Any: Any (blank) Source Prefix: LAN-Services-Prefix This is a local prefix filter, and the entry for this site is 10.10.10.16/28 Source Port Range: Any: Any (blank) Destination Prefix: Any: Any (blank) Action: Static Destination NAT NAT Pool: Internet-Services The NAT Pool Internet-Services is defined as 50.50.50.50.16 - 50.50.50.50.31 on the branch ION device. The ION device sends GARP messages and responds to ARP requests for 50.50.50.16/28. NAT Pools can be configured through the NAT Policy UI or directly on the interface configuration and defined in contiguous ranges. As the policy applies to the packet, the original source address of 10.10.10.20 overwrites by the address defined in the NAT Pool Internet-Services. In this example the original packet: (s) 10.10.10.20:12345: (d) 70.70.70.80:443. Is rewritten to: (s) 50.50.50.20:12345: (d) 70.70.70.80:443.
8	Traffic crosses the internet and arrives at the destination server 70.70.70.80. Return traffic processes in the reverse order, and the ION device references the original outbound connection previously opened with the Static Source NAT action.

Destination NAT

ALG Disable

Prisma SD-WAN Docs

Static NAT

Prisma SD-WAN Docs

Static NAT

Activation & Onboarding

SASE

Visibility & Monitoring

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices