Cisco ACI and CCNA live online batches are starting from 24th June 2023. Join experts today. Configuring Static Nat Archives - UniNets Blog

Tag Archive Configuring Static Nat

Configure Static NAT on Palo Alto from LAN to DMZ-App Zone


  • This lab has dependency on Lab-3 configuration.
  • Configure Static NAT on Palo-Alto from LAN to DMZ-App Zone.
  • Use below information:

    1. Access R01 (on-DMZ-App zone) server with (NATed IP) à (Real-IP), this rule will be unidirectional in nature i.e. if anyone access it from any zone, it should be accessible via NATed IP, whereas when it wants to communicate with, DMZ and Trust zones, it should use it’s private IP address for communication.

    2. Access R01 (on-DMZ-App zone) server with (NATed IP) à (L1-Real-IP), this rule will be Bidirectional in nature i.e. if anyone access it from any zone, it should be accessible via NATed IP, likewise if this wants to communicate with, DMZ and Trust zones, it should use it’s NATed IP address for communication.

  • Verify that implemented is unidirectional and bidirectional.


NAT (Network address translation) was designed to address the depletion of the IPv4 address space. Since then Network address translation (NAT) is not only used to conserve available IP addresses, but also as a security feature to hide the real IP addresses of hosts, securely providing private LAN users access to the public addresses. NAT is also used to solve network design challenges, enabling networks with identical IP subnets communicate with each other.

NAT with PAN-OS:-

PAN-OS provides a mechanism for translating both the source IP addresses numbers and destination IP addresses numbers. PAN-OS uses rules to configure NAT. These rules are like a separate entities, and not configured as part of the allow/drop security rules. NAT rules are configured to match on:

  • Source and destination zone
  • Destination interface (optional)
  • Source and destination addresses
  • Service

The configurable fields in the NAT rule are as follow

configurable fields in the NAT

Multiple NAT rules can be configured on a PAN-OS device. NAT rules are evaluated top down like security rules. Once a packet matches a NAT rule, any other configured NAT rules are skipped for processing. So, more specific NAT rules must be at the top to the rule list.

When a packet matches the NAT rule the translated addresses are determined. It is very important to note that the IP address/port translation happens only when the packet egresses the firewall. Therefor the NAT rules and security rules always refer to the original IP addresses in the packet (i.e. the pre-NAT addresses).

Address Pools:-In PAN-OS, the IP address (also commonly referred to as IP address pools) used for address translation is configured as an address object. The address object can be a host IP address, IP address range or IP subnet. Because the these address objects are used both in the security policies and NAT rules, it is recommended to use names that identify these address objects specifically used as NAT address pools. For example the names of address objects used in NAT rules begin with prefix “NAT-<name>”.

Nat Pools

Proxy-ARP for NAT Pools:- The address pools are not bound to any interfaces. Address pool in the same subnet as the egress/ingress interface IP address, the firewall will respond to ARP requests received on that interface for the IP addresses implemented in the pool. If the address pool is not in the same subnet as the egress interface IP address, you should configure the necessary routes on the upstream devices in order to ensure the response traffic after address translation is routed back to the firewall.

Source NAT:-PAN-OS supports the following options for source translation:

  • Dynamic-ip-and-port
  • Dynamic-ip
  • Static IP

Dynamic-ip-and-port:-This method allows for translation of the source IP address and port numbers to:

  • Interface IP address
  • IP address
  • IP subnet
  • Range of IP addresses

Dynamic-ip:-This method allows for translation of only the source IP address to:

  • IP address
  • IP subnet, or
  • Range of IP addresses

Dynamic IP pool size defines the number of the hosts that can be translated. If all the IP addresses in the dynamic-ip pool are used, any new connections that require address translation will be dropped. As sessions terminate, and IP addresses in the pool become available, these addresses can be used to translate new connections.

Note: Dynamic-IP does not guarantee IP addresses reservation by default.


Let us configure R01 to listen IP addresses listed:

router configuration

Router is now configured with IP addresses and routing (static route) is in place for reachability. HTTP, HTTPs, telnet and SSHv2 is allowed on router for connection.


Configure VLAN on switch for communication between firewall eth 1/3 with router interfaces eth 2/0, eth 2/1.Below is the configuration:

Switch Configuration


Firewall configuration

Firewall configuration 2

Firewall configuration 3

We will add all the routes on firewall (case-1 and case-2) in one go. Below are the screen shot of the routes added

Firewall Configuration 4

Firewall configuration 5

Create Objects:

Object Tab >> Addresses >>>> Proceed with below objects highlighted in screenshots.

creating objects

Now Let’s Create NAT Policy:

create NAT policy

Above screenshot lists the network addressed required to complete case-1 only

Nat Policy Rule

Now go to Security policy and create security policy for the NAT rule.

security policy

security policy rule

Below is the security policy you configured, which is against number-3. Please refer below screen shot for reference. As the security policy and other configuration is in place, we are good to commit the configuration.

security policy

Verify your result for case-1, it should be like below successful result. Try Telnet, SSH and HTTPs by yourself for same IP address.

verify security policy

Case-1 completed

Case-2:Create NAT rule for Bi-Directional NAT. Below are the configuration:

rule for Bi-Directional NAT

Now let us create the security policies for NAT rules.

security policies for NAT rules

Create one security policy for reverse traffic but destination IP address will be NATed IP address.

Easy way, clone SNAT-2 rule and change the values. Refer below:

security policy for reverse traffic

Keep rest of the attributes in the policy as it is and click on OK. Now we are good to proceed with below steps mentioned. Now commit the configuration and verify the result. Below is one test proof.

verify the result

Case-2 Completed