Palo Alto Static NAT: LAN-DMZ App Zone

Secure communication between different network zones is an essential part of the modern and evolving network security landscape. Palo Alto static NAT is an integral part of a firewall to hide private IP addresses behind a public IP address.

Many times people get confused while implementing so they prefer to have training or look around freely available resources to validate the configurations.

In this article, we will look at how to configure static NAT on Palo Alto firewalls so the inside LAN or a DMZ App Zone can communicate easily.

This article teaches you how to get these configurations and install them on your network environment, which increases the security of its infrastructure, providing a safeguard against unauthorized access and ensuring that your digital assets are properly protected.

Palo Alto Static NAT Tasks

1. Basic IP addressing is pre-configured in this scenario.

2. Configure Static NAT on Palo Alto from LAN to DMZ-App Zone.

3. Use below information:

Case 1. Access R01 (on-DMZ-App zone) server with 100.0.1.10 (NATed IP) à 172.17.0.10 (Real-IP), this rule will be unidirectional in nature i.e. if anyone accesses it from any zone, it should be accessible via NATed IP, whereas when it wants to communicate with, DMZ and Trust zones, it should use its private IP address for communication.

Case 2. Access R01 (on-DMZ-App zone) server with 100.0.0.111 (NATed IP) à 172.18.0.10 (L1-Real-IP), this rule will be Bidirectional in nature i.e. if anyone accesses it from any zone, it should be accessible via NATed IP, likewise, if this wants to communicate with, DMZ and Trust zones, it should use it’s NATed IP address for communication.

4. Verify that the implementation is unidirectional and bidirectional.

Start Cyber Security Journey with Palo Alto certificationsJoin Palo Alto Courses Today! Get Certified.Explore courses

Configure Static NAT on Palo Alto - Explained

NAT (Network address translation) was designed to address the depletion of the IPv4 address space. Since then Network address translation (NAT) is not only used to conserve available IP addresses but also as a security feature to hide the real IP addresses of hosts, securely providing private LAN users access to the public addresses.

NAT is also used to solve network design challenges, enabling networks with identical IP subnets to communicate with each other.

Palo Alto Static NAT with PAN-OS

PAN-OS provides a mechanism for translating both the source IP address numbers and destination IP address numbers. PAN-OS uses rules to configure Palo Alto Static NAT. These rules are like a separate entity, and not configured as part of the allow/drop security rules. NAT rules are configured to match on:

● Source and destination zone
● Destination interface (optional)
● Source and destination addresses
● Service

The configurable fields in the NAT rule are as follows.

Multiple NAT rules can be configured on a PAN-OS device. NAT rules are evaluated top-down like security rules. Once a packet matches a NAT rule, any other configured NAT rules are skipped for processing. So, more specific NAT rules must be at the top of the rule list.

When a packet matches the NAT rule the translated addresses are determined. It is very important to note that the IP address/port translation happens only when the packet egresses the firewall. Therefore the NAT rules and security rules always refer to the original IP addresses in the packet (i.e. the pre-NAT addresses).

Address Pools: - In PAN-OS, the IP address (also commonly referred to as IP address pools) used for address translation is configured as an address object. The address object can be a host IP address, IP address range, or IP subnet.

Because these address objects are used both in the security policies and NAT rules, it is recommended to use names that identify these address objects specifically used as NAT address pools. For example, the names of address objects used in NAT rules begin with the prefix “NAT-”.

Proxy-ARP for NAT Pools: The address pools are not bound to any interfaces. Address pool in the same subnet as the egress/ingress interface IP address, the firewall will respond to ARP requests received on that interface for the IP addresses implemented in the pool.

If the address pool is not in the same subnet as the egress interface IP address, you should configure the necessary routes on the upstream devices in order to ensure the response traffic after address translation is routed back to the firewall.

Source NAT: -PAN-OS supports the following options for source translation:

● Dynamic-ip-and-port
● Dynamic-ip
● Static IP

Dynamic-ip-and-port: -This method allows for translation of the source IP address and port numbers to:

● Interface IP address
● IP address
● IP subnet
● Range of IP addresses

Dynamic-ip: -This method allows for translation of only the source IP address to:

● IP address
● IP subnet, or
● Range of IP addresses

Dynamic IP pool size defines the number of hosts that can be translated. If all the IP addresses in the dynamic IP pool are used, any new connections that require address translation will be dropped. As sessions terminate, and IP addresses in the pool become available, these addresses can be used to translate new connections.

Note: Dynamic-IP does not guarantee IP address reservation by default.

ROUTER-CONFIGURATION

Let us configure R01 to listen to the IP addresses listed:

SWITCH-CONFIGURATION

Configure VLAN on switch for communication between firewall eth 1/3 with router interfaces eth 2/0, eth 2/1. Below is the configuration:

FIREWALL-CONFIGURATION

We will add all the routes on the firewall (case-1 and case-2) in one go. Below is the screenshot of the added routes.

Create Objects:
Object Tab >> Addresses >>>> Proceed with below objects highlighted in screenshots.

Now Let’s Create NAT Policy:

The above screenshot lists the network address required to complete case-1 only

Now go to Security policy and create a security policy for the NAT rule.

Below is the security policy you configured, which is against number 3. Please refer below screenshot for reference. As the security policy and other configurations are in place, we are good to commit the configuration.

Verify your result for case 1, it should be like the below successful result. Try Telnet, SSH, and HTTP by yourself for the same IP address.

Case-1 completed.

Create NAT rule for Bi-Directional NAT.

Below is the configuration:

Now let us create the security policies for NAT rules.

Create one security policy for reverse traffic but destination IP address will be NATed IP address. Easy way, clone SNAT-2 rule and change the values. Refer below:

Keep the rest of the attributes in the policy as it is and click on OK. Now we are good to proceed with below steps mentioned below. Now commit the configuration and verify the result. Below is one test proof.

Case-2 Completed.

How to Learn Palo Alto Firewall

Besides Palo Alto Static NAT, there are several features available on the firewall, So acquiring knowledge of Palo Alto firewalls is essential for network security professionals. Here’s how you can effectively learn and gain proficiency in Palo Alto firewalls.

UniNets Provides an intensive Palo Alto Firewall training program that combines all the necessary new and updated control of today's rapidly transforming cybersecurity world.

This will help the students to have informational knowledge of the network and its security with specialization in Palo Alto firewalls and configuration. Gain the complete learning experience and grow your career through practical-oriented training from experts.

Also, If you want to prepare for certification, utilize PCNSE training videos. These videos are specifically designed to cover all aspects of the Palo Alto Networks Certified Network Security Engineer (PCNSE) exam. 

Gain hands-on experience by using a Palo Alto virtual lab. Virtual labs offer a simulated environment where you can practice what you’ve learned in training and videos. They allow you to configure firewalls, implement security policies, and troubleshoot issues without risking real-world networks.