Understanding PAN-OS NAT

PAN-OS NAT concepts and examples

06/10/2010

Palo Alto Networks

232 E. Java Dr.
Sunnyvale, CA 94089
408.738.7700
[Link]
Table of Contents
Overview............................................................................................................................................. 3
Scope ................................................................................................................................................. 3
Design Consideration ......................................................................................................................... 3
Software requirement ..................................................................................................................... 3
Hardware requirement .................................................................................................................... 3
NAT with PAN-OS .............................................................................................................................. 3
Life of a packet ................................................................................................................................... 4
Address Pools .................................................................................................................................... 5
Proxy-ARP for NAT pools................................................................................................................... 5
Source NAT ........................................................................................................................................ 5
Dynamic-ip-and-port ....................................................................................................................... 5
Dynamic-ip ...................................................................................................................................... 5
Reserving IP address .................................................................................................................. 6
Static-IP .......................................................................................................................................... 6
Destination NAT ................................................................................................................................. 6
NAT exemptions ................................................................................................................................. 6
Source NAT examples ....................................................................................................................... 7
Case1: Source IP address and port translation .............................................................................. 7
Case1a: Using the interface IP for translation ............................................................................ 7
Case1b: Using an address object for IP for translation .............................................................. 8
Case2: Source IP address without port translation ........................................................................ 8
Case3: Static NAT .......................................................................................................................... 9
Case3a: Source IP address translation using Static NAT .......................................................... 9
Case3b: Bi-directional address translation using Static NAT ................................................... 10
Destination NAT examples ............................................................................................................... 12
Case1: Server access for external users...................................................................................... 12
Case2: Server access for internal users ....................................................................................... 13
Case3: Server in the DMZ zone ................................................................................................... 14
Verifying NAT rules .......................................................................................................................... 15
NAT interaction with application ....................................................................................................... 15
Summary .......................................................................................................................................... 16

© 2010 Palo Alto Networks Page 2

Overview
Network Address translation was designed to address the depletion of the IPv4 address space.
Since then NAT is not only used to conserve available IP addresses, but also as security feature to
hide the real IP addresses of host, securely providing private LAN users to access the public
addresses. NAT is also sometimes used to solve network design challenges enabling networks
with identical IP subnets communicate with each other.

Scope
The purpose of this application note is to explain PaloAlto Networks PAN-OS NAT architecture,
and to provide several common configuration examples. This paper assumes that the reader is
familiar with NAT and how it is used in both service provider and enterprise networks.

Design Consideration
Software requirement
PAN-OS 3.0 and later

Hardware requirement
PA-4060,PA-4050, PA-4020, PA-2050,PA-2020 and PA-500 series of firewalls

NAT with PAN-OS

PAN-OS provides mechanism for translating both the source IP addresses/port and destination IP
addresses/port numbers. PAN-OS uses rules to configure NAT. These rules are separate entity,
and not configured as part of the allow/drop security rules. NAT rules are configured to match on
Source and destination zone
Destination Interface (optional)
Source and destination addresses
Service

The figure below shows configurable fields in the NAT rule

There can be multiple NAT rules configured on PAN-OS device. NAT rules are evaluated in the
order they are configured. Once a packet matches a NAT rule, any other NAT rules configured are
skipped for processing; more specific NAT rules must be on the top to the rule list.

© 2010 Palo Alto Networks Page 3

 Life of a packet
The diagram below captures the processing packet processing sequence when NAT is involved.
For the sake of simplicity the app-id, content-id and user-id processing is not shown in the flow
chart.

Packet
received

Firewall process Yes

Existing
update session session
timer, and forward

No

Route No
lookup

Yes
Egress interface/zone/vsys
determined

Drop Packet

No NAT rule
matched

Yes
Identify translated address
If dst NAT is present, do a second
route lookup for translated address
to determine egress interface/zone

No
Security
policy allow

Yes

Create session

© 2010 Palo Alto Networks Page 4

The translated addresses are determined after a packet matches the NAT rule. It is very important
to note that actual translation of the addresses in the IP packet happens only when the packet
egresses the firewall. Hence the NAT rules and security rules always refer to the original IP
addresses in the packet.

Address Pools
In PAN-OS, the IP address (also commonly referred to as IP address pools) used for address
translation is configured as address objects. The address object can be a host IP address, IP
subnet or IP address range. Since the address objects are also used in the security policies and
NAT rules, it is recommended to use names that identify the address objects specifically used as
NAT address pools. For example the names of address objects used in NAT rules begin with prefix
“NAT-<name>”

Proxy-ARP for NAT pools

The address pools are not bound to any interfaces. If the address pool is in the same subnet as the
egress/ingress interface IP address, the firewall will proxy-ARP for the IP addresses configured in
the pool. If the address pool is not in the same subnet as the egress/ingress interface IP address,
route to IP addresses in the IP pools with the firewall as the next hop be added on the upstream
devices.

Source NAT
PANOS supports the three different options for source translation
1. Dynamic-ip-and-port
2. Dynamic-ip
3. Static NAT

Dynamic-ip-and-port
This method allows for translation of the source IP address and port numbers to
1. Interface IP address
2. IP address
3. IP subnet, or
4. Range of IP addresses

Dynamic-ip
This method allows for translation of only the source IP address to
1. IP address
2. IP subnet, or
3. Range of IP addresses
The size of the dynamic-ip pool defines the number of the hosts that can be translated. If all the IP
addresses in the dynamic-ip pool are filled up, any new connections that require address
translation will be dropped. As sessions terminate, and IP addresses in the pool become available,
these addresses can be used to translate new connections. Once all sessions from a host are
terminated, any new connections from that host will be translated to next available IP address.
Dynamic-IP does not guarantee IP addresses reservation by default.

© 2010 Palo Alto Networks Page 5

Reserving IP address

Dynamic-IP pools can be configured to reserve IP addresses for translation. The default setting is
IP reservation is disabled. If reserve-ip is set to yes, reserve-time must be also set between 1-
604800 seconds (30 days). If set, the dynamic-ip rules will support reserving an IP address up to
the user specified reserve-time after all sessions of that original source IP address expire. For
example, if reserve-time is set to 8 hours, when the last session of the original source IP expires,
the translated IP will be reserved for another 8 hours. During this time the IP address is “reserved”
for the original source IP address. This means it is possible that other hosts cannot get a translated
IP address from the pool even if there is no more sessions in the system because all translated IP
addresses are reserved. IP reservation is configured from the CLI
set setting nat reserve-ip <yes/no>
set setting nat reserve-time < 1-604800 secs>

Static-IP
This method of source NAT allows for translation of a source IP, IP range or subnet to another IP
address, range or subnet. Static NAT does not translate the port numbers. Static NAT provides
persistent mapping of source address to the translated address from the pool. All connections from
source IP addresses that are out of the range of the static-ip pool will traverse the firewall without
translation, unless dropped by a security policy.
Static NAT can also be used for bi-directional address translation, by enabling bi-directional option
in the NAT rule. When bi-directional option is enabled on static NAT, the destination IP address of
the packet is translated to real IP address defined the static NAT rule. For example, a NAT rule
configured for source NAT using static-ip maps host address A to A1 from zone z1 to z2, with bi-
directional setting, connections to destination address of A1 will be translated to A for traffic from
any zone to zone z1. The bi-directional option will create a NAT rule in the reverse direction. This
rule can only be viewed from CLI using the operational mode command “show running nat-policy”.

Note : It is best practice to configure security rules to allow access to the required applications to
the static NAT hosts when bi-directional option is used.

Destination NAT
PAN-OS offer destination NAT to translate destination IP address and/or the port numbers to
another IP address. Destination NAT can also be used to translate connections to a destination IP
address to multiple different hosts. In such case the port numbers are used as a differentiator to
identify destination hosts. This is also commonly referred to as VIP

NAT exemptions
Both source NAT and destination NAT rules can be configured to disabled address translation. This
is used in scenarios where NAT has to disabled for certain hosts in a subnet, or when NAT is not
required for traffic exiting a specific interface.

© 2010 Palo Alto Networks Page 6

Source NAT examples

We shall discuss different scenarios where source NAT can be used to translate the source IP
address and/or port numbers. Since the security policies always match the original IP address in
the IP packet, for the sake of simplicity a generic security policy between the zones z1 and z2 is
applied to the device for all NAT configuration used in this document unless otherwise noted.

Case1: Source IP address and port translation

For translating both the source IP address and port numbers “dynamic-ip-and-port” type of
translation must be used.

Case1a: Using the interface IP for translation

In this example all the traffic from the subnet [Link]/24 will be translated to the interface e1/1
IP address [Link]

Configuration

In the source translation column of the NAT rule, choose “dynamic-ip-and-port” as the pool and
“interface-address” as the method. From the interface drop down list choose the interface to be
used for source translation.

© 2010 Palo Alto Networks Page 7

Case1b: Using an address object for IP for translation
In this example all the traffic from the subnet [Link]/24 will be translated to the IP address
[Link].

Configuration:

Create an address object for the IP address [Link]/32. In this example the object “NAT-Pool-
[Link].00-32” is created to be used in the source NAT rule.
In the source translation column of the NAT rule, choose “dynamic-ip-and-port” as the pool and
“translated-address” as the method. From the Addresses Available sections choose the NAT-Pool-
[Link].00-32 and add to the selected list.

Case2: Source IP address without port translation

For translating only the source IP address “dynamic-ip” type of translation must be used.

In this example all the traffic from the subnet [Link]/24 will be translated to the IP address
range172.32.1.10-[Link]

Configuration:

Create an address object for the IP address range [Link]-[Link].In this example the
object “NAT-Pool-[Link].100-32” is created to be used in the source NAT rule.
In the source translation column of the NAT rule, choose “dynamic-ip” as the pool and “translated-
address” as the method. From the Addresses Available sections choose the address “NAT-Pool-
range-[Link]-200”

© 2010 Palo Alto Networks Page 8

Case3: Static NAT
Case3a: Source IP address translation using Static NAT
Static NAT is used for translating a range of IP addresses or subnet to another address range or IP
subnet. The size of the static NAT pool must be same as the size of the source addresses to be
translated.

In this example, the hosts [Link] through [Link] will be subject to static NAT to address
[Link] through [Link]

Configuration:

Create the following address objects

• IP address range [Link]-[Link]. In this example the object “NAT-Pool-static-
[Link]-25” is created to be used in the source NAT rule.
• IP address range [Link]-[Link]. In this example the object “src-static-nat-hosts” is
created to be used in the source NAT rule
In the source translation column of the NAT rule, choose “static-ip” as the pool and “translated-
address” as the method. From the Addresses Available sections choose the address “NAT-Pool-
static-[Link]-25”. Select the “src-static-nat-hosts” as the source address in the source NAT
rule.

© 2010 Palo Alto Networks Page 9

With the above configuration the static NAT mapping as shown in the table below is created

Real IP address Translated IP address

[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]

Static-ip NAT guarantees the 1-1 mapping of the IP address. The host [Link] is always
translated to [Link], host [Link] always translates to [Link] and so on.

Case3b: Bi-directional address translation using Static NAT

The tables below show the address mapping used in this scenario. For connections initiated by the
host [Link]
Original source IP address/port Translated source IP address/port
[Link]/2020 [Link]/2020

For the connections initiated from zone z2 to the host [Link] whose NAT’ed address is
[Link]
Original destination IP address/port Translated destination IP
address/port
[Link]/80 [Link]/80

In this example static NAT is used to translate the source IP address of host [Link] for
connections going out to zone z2 and also translate the destination IP address of connections to
the host [Link] to [Link] from zone z2.

Configuration:
The following address objects are created
- Real server- [Link]
- Server : [Link]

NAT rule “rule1”, a static NAT rule is defined for the host [Link] to [Link].
The bi-directional option is enabled under static-NAT configuration; any connections to the
destination IP [Link] will be translated to [Link]. The NAT rule “rule2” is used for source
translation of all other hosts to the egress interface IP address using “dynamic-ip-and-port”

© 2010 Palo Alto Networks Page 10

In order to enable access from z1 to static NAT host .Security policy from zone z2 to z1 is required
to permit the traffic to reach the host in zone z1.

NAT rule

Security policy

In the above configuration, when using both source NAT with dynamic-ip and static-ip it is
important to understand the NAT rule matching sequence. With this type of configuration NAT rule2
is a generic rule that shadows the rule1. Static NAT rule is most specific and must be ordered to
match the packet flow before the NAT rule2. If the rules were reordered rule2 above rule1, then the
static NAT rule will never be processed and all the hosts will be translated to the ethernet1/2
interface IP address

The command below shows the reverse NAT policy created as result of using the bi-directional
option.
Note: The reverse NAT policy has a source zone of “any”

© 2010 Palo Alto Networks Page 11

admin@PA-500> show running nat-policy

rule1 {
from z1;
source [Link];
to z2;
to-interface ;
destination any;
proto any;
port any;
translate-to "src: [Link] (static-ip) (pool idx: 0)";
}

rule1 {
from any;
source any;
to z2;
to-interface ;
destination [Link];
proto any;
port any;
translate-to "dst: [Link]";
}

Destination NAT examples

Case1: Server access for external users

In this example, users from zone z2 access the server [Link] in zone z1 using the IP address
[Link]. It is to be noted that the hosts in the zone z2 can access the server by the IP
address [Link].

Configuration:

© 2010 Palo Alto Networks Page 12

The following address objects are created
• Webserver: [Link]
• Real-Server: [Link]
A default route on the firewall via the interface e1/1 to the upstream router is configured

Before configuring the NAT rules, let us walk through the sequence of the events for this flow
1. Firewall receives a the packet for destination [Link] on the interface e1/1
2. A route lookup establishes the route to the packet for the destination [Link] is to be
forwarded out via the interface e1/1. At this point the ingress and egress zones are
determined. In this example both the ingress and egress zones are the zone “z2”
3. NAT rule is evaluated for a match. In this example a destination NAT rules from zone z2 to
zone z2 must be created to translate the destination IP of [Link] to [Link]
4. Once the translated address is determined, a second route lookup for destination
[Link] is performed to the determine the egress interface, which is e1/2 in zone z1
5. A policy lookup is performed to see if the traffic is permitted from zone z2 to z1. The
direction of the policy matches the ingress zone and the zone where the server is
physically located.
It is also important to note that the security policy refers to the IP addresses in the original
packet, whose destination address is [Link].
6. Packet is forwarded out to via the egress interface e1/2. The destination address is
changed to [Link] as the packet leaves the firewall.

NAT rule

Security policy

Case2: Server access for internal users

In this example the company web site for [Link] is still resolved through public DNS to the
IP address [Link]. However the server hosting the actual web site is on the same segment
of the firewall as the users. Users still need to be able to access the server using the public IP
address as their DNS will resolve to the public IP in the zone z2.

Configuration:
A destination NAT rule from zone z1 to z2 must be created to translate the destination address of
the WEBSERVER to the Real IP address. A security policy is not required since the users and the
WEBSERVER are in the same zone

© 2010 Palo Alto Networks Page 13

Packet flow sequence
1. Firewall receives a the packet for destination [Link] on the interface e1/2
2. A route lookup establishes the route to the packet for the destination [Link] is to be
forwarded out via the interface e1/1. At this point the ingress and egress zones are
determined. In this example the ingress zone is z1 and egress zones are the zone “z2”
3. NAT rule is evaluated for a match. In this example a destination NAT rules from zone z1 to
zone z2 must be created to translate the destination IP of [Link] to [Link]
4. Once the translated address is determined, a second route lookup for destination
[Link] is performed to the determine the egress interface, which is e1/2 in zone z2
5. Since the ingress and egress interfaces are the same, no security policy is required
6. Packet is forwarded out to via the egress interface e1/2. The destination address is
changed to [Link] as the packet leaves the firewall.

NAT rule

Case3: Server in the DMZ zone

Configuration:

In this configuration the webserver is the DMZ zone with the IP address of [Link]. The
users access webserver using the Public IP address of [Link]
The snap shot of the NAT rules and security rules required to provide access to the webserver
using the public IP address for both the internal and external users are shown below

© 2010 Palo Alto Networks Page 14

NAT rule

The NAT rule “Access to Webserver” is used for destination NAT for connections from zone z2.
The rule “Access to Webserver-Internal” is used for destination NAT for connections from internal
users from zone z1.

Note: The two NAT rules can be combined into one by replacing the source zone to any

Security rule

Verifying NAT rules

With multiple NAT rules configured on the device, the orders of the NAT rules are important for
address translation. NAT rule processing can be verified from the CLI using the operational mode
command test nat-policy-match

test nat-policy-match <options>

+ destination destination IP address
+ destination-port Destination port
+ from From zone
+ protocol IP protocol value
+ source source IP address
+ source-port Source port
+ to To zone
+ to-interface Egress interface to use

NAT interaction with application

Dynamic-IP type of address translation works with only TCP and UDP based applications.
Traceroute is not supported with dynamic-IP translation

© 2010 Palo Alto Networks Page 15

Summary
PAN-OS rule base NAT offers a very flexible way of implementing address translation to meet
challenging network requirements while offering increased ease of use. Combined with Application
visibility, application control and threat prevention Palo Alto Network firewalls offer the best of
breed in security and networking functions.

© 2010 Palo Alto Networks Page 16