Focus
Focus
Table of Contents

Static NAT

Learn more about the
Prisma SD-WAN
static NAT.
Prisma SD-WAN
provides scenarios that require a 1:1 mapping of a range of IP addresses to another range of IP addresses.
Scenarios include direct mapping of a publicly routable range of IP addresses to RFC 1918 addresses. For example, they translate 50.50.50.16-31 to 10.10.10.16-31 in a 1:1 manner where traffic would translate to 50.50.50.20 to 10.10.10.20 and vice versa across the entire IP range.
Another common scenario would be when IP prefix overlap occurs due to a company merger. In this situation, it would also translate the IP addresses bound to the hosts in a 1:1 manner from one RFC 1918 range to another RFC 1918m range.
In this example, application requirements specify that each internal server must have a unique internet IP address. Each server must initiate connections on ephemeral ports and receive inbound links on the same persistent IP address on port 443. To enable this most efficiently, use static source NAT and static destination NAT.
Case: Inbound connection from the Internet
Fields
Description
1
A new flow source from Host 1 with a source address of 70.70.70.70 and a destination address of 50.50.50.20.
2
A packet arrives at the ION device's internet interface. Perform a policy lookup and the traffic on the LAN segment.
3
Place the packet onto the LAN segment; it matches against the recently created NAT Policy Rule.
This rule contains the following configuration:
  • Source Zone Rule: NAT Zone Internet
    The NAT Zone internet is bound to the interface.
  • Match Criteria:
    • Protocol: TCP (leave blank for any protocol)
    • Source Prefix: Any
    • Source Port Range: Any: Any (blank)
    • Destination Prefix: Internet-Services
      This is a local prefix filter, and the entry for this site is 50.50.50.16/28
    • Destination Port Range: 443:443 (leave blank if all ports are allowed)
      The ION device sends GARP messages and responds to ARP requests for 50.50.50.2.
  • Action: Static Destination NAT
  • NAT Pool: LAN-Services
The NAT Pool LAN-Services is defined as 10.10.10.16 - 10.10.10.31 on the branch ION device. It can be configured through the NAT Policy UI or directly on the interface configuration of the device.
NAT Pools are in contiguous ranges.
As the policy applies to the packet, the original destination address of 50.50.50.20 overwrites by the address defined in the NAT Pool LAN-Services. In this example the original packet: (s) 70.70.70.70:12345: (d) 50.50.50.20:443. Is rewritten to: (s) 70.70.70.70:12345: (d) 10.10.10.20:443.
4
Traffic arrives on the LAN at the server hosting inbound services from the internet.
5
Sends the return traffic to the destination of 70.70.70.70:12345.
6
Traffic arrives at the ION device's LAN interface, where a translation table check is performed on the flow to ensure that there is an active connection.
7
Establish the traffic onto the LAN segment, the source IP address is rewritten from 10.10.10.10:443 to 50.50.50.2:443.
Case: Outbound Connection from the Local Server to an Internet Service
Fields
Description
5
A new flow source from Server 1 with a source address of 10.10.10.20 and a destination address of 70.70.70.80.
6
A packet arrives at the ION device's internet interface. Perform a policy lookup and the traffic on the LAN segment.
7
Place the packet onto the internet segment; it matches against the recently created NAT Policy Rule.
This rule contains the following configuration:
  • Destination Zone Rule: NAT Zone Internet
    The NAT Zone internet is bound to the interface.
  • Match Criteria:
    • Protocol: Any: Any (blank)
    • Source Prefix: LAN-Services-Prefix
      This is a local prefix filter, and the entry for this site is 10.10.10.16/28
    • Source Port Range: Any: Any (blank)
    • Destination Prefix: Any: Any (blank)
  • Action: Static Destination NAT
  • NAT Pool: Internet-Services
The NAT Pool Internet-Services is defined as 50.50.50.50.16 - 50.50.50.50.31 on the branch ION device.
The ION device sends GARP messages and responds to ARP requests for 50.50.50.16/28. NAT Pools can be configured through the NAT Policy UI or directly on the interface configuration and defined in contiguous ranges.
As the policy applies to the packet, the original source address of 10.10.10.20 overwrites by the address defined in the NAT Pool Internet-Services. In this example the original packet: (s) 10.10.10.20:12345: (d) 70.70.70.80:443. Is rewritten to: (s) 50.50.50.20:12345: (d) 70.70.70.80:443.
8
Traffic crosses the internet and arrives at the destination server 70.70.70.80. Return traffic processes in the reverse order, and the ION device references the original outbound connection previously opened with the Static Source NAT action.

Recommended For You