Palo Alto Networks: NAT policy using dynamic IP and port (PAT in Cisco)

Firewall, Security 1 Minute

Dynamic NAT translation using IP and port
To enable one single routed interface IP address to be reused for translation several time, the layer4 information is attached to the source address.

This can be easily done in web interface, in CLI however it is quite hard to find the hierarchy. NAT is under the rulebase hierarchy.

How to configure dynamic port NAT

admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# edit rulebase nat
[edit rulebase nat]
admin@PA-5050# set rules trust-to-untrust description "Dynamic PAT"

[edit rulebase nat]
admin@PA-5050# admin@PA-5050# set rules trust-to-untrust from trust to untrust destination any service any source any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip 200.1.1.1/30

[edit rulebase nat]
admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully
Interface ethernet1/1 has no virtual-router configuration.
Interface ethernet1/2 has no virtual-router configuration.

[edit rulebase nat]
admin@PA-5050#

Setup virtual-router to route packets
Create static default route by first creating virtual router, treat virtual-router like a router process, you need to include interfaces that is available for virtual-router. the virtual-router is located under network hierarchy.

[edit rulebase nat]
admin@PA-5050# top
[edit]
admin@PA-5050# set network virtual-router static-route interface ethernet1/1

[edit]
admin@PA-5050# set network virtual-router static-route interface ethernet1/2

Take note that static-route is a name I defined for virtual-router, there is a default profile which you can use if you want.

Define the default routes with the static-route profile.

admin@PA-5050# set network virtual-router static-route routing-table ip static-route static-default-route interface ethernet1/1 nexthop ip-address 200.1.1.2

admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

Take note that static-default-route is the routing-table profile I have created, you can create any name you want.

Advertisement

Published by cyruslab

Published

2 thoughts on “Palo Alto Networks: NAT policy using dynamic IP and port (PAT in Cisco)

  1. For people who are reading this, this article is out of date. You only use command line for troubleshooting Palo Alto problems, this is the command which you may use frequently show global counter | match drop, this is because PA user interface does not show drop traffic due to asymmetric route. You rarely need to use command line in PA, command line is a thing of the past from the old school Cisco’s fan club… modern network equipment and security equipment configurations are structured (could be json or xml), no longer can you use command line and save as a text file and upload to the equipment…. my point is dun waste time to do command line anymore… the time has changed for network engineers…. learn the concept and pickup a scripting language….

    Reply

    1. Hi, We’re using PA 6.1.17 version and I don’t see any commands related to this. I get only “show global-protectcounter” command. Please assist
      ====
      admin@PA(active-secondary)> show global-protectcounter | match drop

      Invalid syntax.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s