Palo Alto Networks NAT Policies – IPv4 and IPv6

Overview

Network Address Translation (NAT) in Palo Alto Networks firewalls allows for the translation of IP addresses and ports, facilitating communication between networks with differing addressing schemes. NAT policies are crucial for scenarios such as internet access, server publishing, and overlapping networks.

Types of NAT

• Source NAT (SNAT): Translates the source IP address of outbound traffic, commonly used to allow internal users to access external networks.
• Destination NAT (DNAT): Translates the destination IP address of inbound traffic, typically used for publishing internal servers to external clients.
• Static NAT: Provides a one-to-one mapping between internal and external IP addresses, maintaining consistent address translation.
• Dynamic NAT: Maps internal IP addresses to a pool of external addresses, allowing multiple internal hosts to share a limited number of external IPs.
• Dynamic IP and Port (PAT): Also known as Port Address Translation, it allows multiple internal hosts to share a single external IP address by differentiating sessions using port numbers.
• No NAT: Specifies traffic that should not undergo NAT, useful for internal communications where translation is unnecessary.

Dynamic NAT Pool vs. Interface IP: Port Exhaustion and DIPP Oversubscription

Dynamic NAT Pool: This approach involves defining a pool of public IP addresses that the firewall can use for translating internal (private) IP addresses. Each internal host is mapped to an available public IP address from the pool. This method provides greater scalability and flexibility, especially for environments with a large number of internal hosts requiring external access.

Interface IP: Alternatively, the firewall can use the IP address assigned to its egress interface for NAT translations. This method is simpler to configure but may lead to port exhaustion more quickly, as all translations share a single public IP address.

Port Exhaustion: When multiple internal hosts are translated to a single public IP address (as in the Interface IP method), each unique source IP and port combination must be mapped to a unique combination on the public side. Since there are only 65,536 TCP/UDP ports available, high-volume environments may exhaust available ports, leading to dropped connections.

DIPP Oversubscription: To mitigate port exhaustion, Palo Alto Networks firewalls support Dynamic IP and Port (DIPP) NAT oversubscription. This feature allows the reuse of the same translated IP address and port pair multiple times (e.g., 2x, 4x, or 8x) in concurrent sessions, based on the assumption that the combination of source and destination addresses and ports will remain unique. Oversubscription rates vary by firewall model and can be adjusted to balance between scalability and resource utilization.

For more detailed information, refer to the official documentation on Dynamic IP and Port NAT Oversubscription .

Dynamic IP and Port (DIPP) NAT Oversubscription

Dynamic IP and Port (DIPP) NAT enables the firewall to reuse each translated IP address and port pair multiple times concurrently—specifically 2x, 4x, or 8x—depending on the firewall model. This oversubscription allows for greater scalability, particularly in environments with limited public IP addresses.

The design assumes that internal hosts are connecting to different external destinations, reducing the likelihood of session collisions. For example, with a default limit of 64,000 concurrent sessions, an oversubscription rate of 8x increases the capacity to 512,000 concurrent sessions.

Oversubscription rates are global settings and vary by firewall model. Even if sufficient public IP addresses are available, the default oversubscription rate consumes memory resources. Administrators can adjust the rate to 1x (no oversubscription), 2x, 4x, or 8x to balance between scalability and resource utilization.

The firewall supports a maximum of 256 translated IP addresses per NAT rule. If oversubscription causes this limit to be exceeded, the firewall will automatically reduce the oversubscription ratio to allow the configuration to commit successfully. However, if the total number of translated addresses across all NAT rules exceeds the model's capacity, the commit will fail.

To modify the oversubscription rate:

1. Navigate to Device > Setup > Session > Session Settings .
2. Edit the NAT Oversubscription Rate setting.
3. Select the desired rate: 1x , 2x , 4x , or 8x .
4. Click OK and commit the changes.

For more information, refer to the official documentation on Dynamic IP and Port NAT Oversubscription .

Understanding the 256 Translated IP Addresses Limit per NAT Rule

In Palo Alto Networks firewalls, each NAT (Network Address Translation) rule can reference up to 256 unique translated IP addresses . This means that when configuring a NAT rule, you can specify a maximum of 256 public IP addresses for translating internal (private) IP addresses.

Practical Example:
Suppose your organization has been allocated a block of public IP addresses ranging from 203.0.113.1 to 203.0.113.254 (a /24 subnet). If you want to use these addresses for NAT, you can create a NAT rule that includes this entire range, totaling 254 IP addresses, which is within the 256 IP address limit per rule.

However, if you attempt to include more than 256 IP addresses in a single NAT rule, the firewall will automatically reduce the oversubscription ratio to stay within the limit, allowing the configuration to commit successfully. If the total number of translated addresses across all NAT rules exceeds the firewall model's capacity, the commit operation will fail.

Best Practices:

• Ensure that no single NAT rule references more than 256 translated IP addresses.
• If you need to use more than 256 translated IP addresses, consider creating multiple NAT rules, each handling a subset of the IP address pool.
• Monitor the total number of translated IP addresses used across all NAT rules to stay within the firewall's overall capacity.

For more detailed information, refer to the official documentation on Dynamic IP and Port NAT Oversubscription .

IPv6 NAT Support

• NAT64: Enables communication between IPv6-only clients and IPv4-only servers by translating IPv6 addresses to IPv4 addresses.
• NPTv6 (Network Prefix Translation for IPv6): Translates one IPv6 prefix to another, maintaining the host portion of the address. Useful for scenarios like multi-homing.

NAT Policy Configuration

NAT policies are configured under Policies > NAT in the firewall's web interface. Each NAT rule consists of:

• Original Packet: Defines the matching criteria based on source/destination zones, addresses, and services.
• Translated Packet: Specifies the translation settings for source and/or destination addresses and ports.

It's essential to place more specific NAT rules above more general ones, as the firewall processes rules from top to bottom and applies the first match.

Packet Processing Flow

Understanding the packet processing flow is crucial for configuring NAT and security policies effectively:

1. Ingress: The firewall receives the packet and performs a route lookup to determine the egress interface and zone.
2. NAT Policy Evaluation: The firewall checks if the packet matches any NAT rules based on source and destination zones.
3. Security Policy Evaluation: The firewall evaluates security policies using the original (pre-NAT) source and destination IP addresses but the post-NAT zones.
4. Egress: Upon egress, if a matching NAT rule exists, the firewall translates the source and/or destination IP addresses and ports.

Note: The actual translation of IP addresses and ports occurs only when the packet leaves the firewall. This sequence ensures that security policies are applied correctly based on the intended traffic flow.

Mermaid Sequence Diagram

sequenceDiagram
    participant Client
    participant Firewall
    participant Server

    Client->>Firewall: Send Packet
    activate Firewall
    Firewall->>Firewall: Route Lookup
    Firewall->>Firewall: NAT Policy Evaluation
    Firewall->>Firewall: Security Policy Evaluation
    Firewall->>Firewall: Apply NAT Translation
    Firewall->>Server: Forward Packet
    deactivate Firewall

    

This sequence diagram illustrates the packet processing flow within the Palo Alto Networks firewall, highlighting the stages from packet ingress to egress.

Interaction with Security Policies

Security policies control the traffic flow through the firewall and must be configured to allow the post-NAT traffic. Key considerations include:

• Security policies evaluate the post-NAT zones but use the pre-NAT addresses for matching.
• Ensure that the security policy allows traffic based on the original source and destination addresses, but references the zones after NAT has been applied.

Best Practices

• Use address objects and groups to simplify NAT rule management.
• Regularly audit NAT rules to remove unused or redundant entries.
• Monitor NAT translations to troubleshoot connectivity issues.
• For IPv6 deployments, prefer NPTv6 over NAT66 to maintain end-to-end address transparency.

Additional Resources

• NAT Policy Overview – PAN-OS 11.0
• NAT Policy Rules – PAN-OS 11.0
• NAT64 – PAN-OS 10.2
• NPTv6 Overview – PAN-OS 11.1
• NAT Configuration Examples – PAN-OS 11.0