Understanding NAT on Palo Alto Networks Firewalls

Network Address Translation (NAT) is a fundamental technology used to modify network address information (IP addresses and sometimes ports) in packet headers as they transit through a routing device, like a Palo Alto Networks firewall. This is essential for conserving public IP addresses, hiding internal network structures, and enabling communication between networks with overlapping addresses.

A key concept on Palo Alto firewalls is the separation of NAT policy and Security policy . NAT rules determine *if and how* addresses/ports are translated, while Security rules determine *if traffic is allowed* based on zones, addresses, ports, applications, and users.

NAT Policies are configured under: Policies > NAT

Source NAT (SNAT)

Purpose

Source NAT modifies the source IP address (and often the source port) of packets, typically as they leave a private network and enter a public network (like the internet). Its primary goal is to allow many internal (private IP) devices to share a single or a few public IP addresses for outbound communication.

Common Use Case

Allowing users on an internal network (e.g., 192.168.1.0/24) to browse the internet using the firewall's external (public) IP address.

Packet Flow Example (Outbound Internet Access)

The firewall keeps track of this translation in its session table so return traffic from 8.8.8.8 to 203.0.113.10:61000 can be translated back to 192.168.1.50:51000 .

Configuration Elements

Typically involves specifying the original source zone/address and the desired translated source (e.g., interface address, specific IP, dynamic IP pool).

Destination NAT (DNAT)

Purpose

Destination NAT modifies the destination IP address (and often the destination port) of packets, typically as they arrive from a public network destined for a service hosted on a private network. It allows external clients to reach internal servers using a public IP address.

Common Use Case

Making an internal web server (e.g., 10.1.1.100) accessible from the internet via the firewall's public IP address (e.g., 203.0.113.10) on port 80/443.

Packet Flow Example (External Access to Internal Web Server)

Return traffic from 10.1.1.100 back to 198.51.100.5 will have its source IP translated back to 203.0.113.10 by the firewall.

Configuration Elements

Requires specifying the original destination address/port (public) and the translated destination address/port (private).

U-Turn NAT

Purpose

U-Turn NAT allows a user on an internal network to access another resource on the same or different internal network by using the resource's public IP address (the address external users would use).

Common Use Case

An internal user (192.168.1.50) needs to access the company's internal web server (10.1.1.100) using its public domain name which resolves to the firewall's public IP (203.0.113.10). Without U-Turn NAT, the traffic might hairpin at the firewall and fail, or the firewall might block it because the source and destination are both internal but trying to use an external address.

Mechanism

U-Turn NAT typically requires a combination of NAT rules:

  1. Destination NAT (DNAT): Translates the public destination IP (203.0.113.10) used by the internal client back to the internal server's private IP (10.1.1.100).
  2. Source NAT (SNAT): Translates the internal client's source IP (192.168.1.50) to an IP address that the internal server knows how to route back to (often the firewall's internal interface IP in the server's zone). This prevents the server from sending the reply directly back to the client (which might fail) and forces the return traffic back through the firewall for stateful inspection and reverse NAT.

Correct zone configuration and Security rules are also essential for U-Turn NAT to function.

Configuration Elements

Requires careful crafting of both DNAT and SNAT rules, often matching traffic coming *from* internal zones destined *to* the public IP address.

NAT and Security Policy Interaction

Understanding how NAT and Security policies interact is critical for troubleshooting and correct configuration.

Key Processing Order (Simplified):

  1. Packet Ingress (Interface/Zone determined)
  2. Route Lookup (Initial destination check)
  3. NAT Policy Lookup & Potential Translation (DNAT happens early for ingress, SNAT happens later for egress)
  4. Security Policy Lookup (Crucially, based on results of NAT)
  5. Packet Egress

Security Policy for Destination NAT (Inbound Traffic)

Security Policy for Source NAT (Outbound Traffic)

Tying It Together

NAT and Security rules work together. A packet must be permitted by a Security rule *and* will be translated if it matches a NAT rule. If either policy lookup fails (no matching allow rule in Security, or an explicit deny), the traffic is dropped. If a flow matches an allow Security rule but no NAT rule (and NAT is required, e.g., private to public), the flow might also fail.

NAT Concepts Quiz

1. An external user tries to access your company's web server hosted internally at 10.0.0.10. They use the server's public IP address, 203.0.113.50. Which type of NAT policy is required on the Palo Alto firewall to translate the destination IP address?

2. Internal users on the 192.168.10.0/24 network need to browse the internet. The firewall's external interface has the IP address 198.51.100.2. Which type of NAT allows these users to share the firewall's external IP for outbound connections?

3. For the scenario in Question 1 (external user accessing internal server 10.0.0.10 via public IP 203.0.113.50), what Destination Zone and Destination Address should the Security policy use to allow the traffic?

4. For the scenario in Question 2 (internal users 192.168.10.0/24 going to the internet via SNAT using 198.51.100.2), what Source Zone and Source Address should the Security policy generally use to allow this outbound web browsing traffic?

5. An internal user (192.168.5.20 in the Trust zone) attempts to connect to an internal server (10.5.5.30 in the DMZ zone) by using the server's public IP address (203.0.113.80). What type of NAT configuration is specifically needed to handle this internal-to-internal connection via a public IP?

6. What is the primary function of Port Address Translation (PAT), often used in conjunction with Source NAT?

7. In a Palo Alto NAT policy rule, which tab defines the criteria for the *original* packet before translation?

8. You configure a Destination NAT rule to translate incoming traffic destined for public IP 203.0.113.100 on TCP port 80 to internal server 10.10.10.50 on TCP port 8080. What specific type of translation is occurring besides DNAT?

9. When does the Security Policy evaluation occur relative to NAT policy evaluation for an incoming connection requiring Destination NAT?

10. Which Source NAT type would you typically use if you have a small pool of public IP addresses (e.g., 5 addresses) that need to be shared dynamically by a large number of internal clients for outbound internet access?