Dynamic NAT translation using IP and port
To enable one single routed interface IP address to be reused for translation several time, the layer4 information is attached to the source address.
This can be easily done in web interface, in CLI however it is quite hard to find the hierarchy. NAT is under the
How to configure dynamic port NAT
admin@PA-5050> configure Entering configuration mode  admin@PA-5050# edit rulebase nat [edit rulebase nat] admin@PA-5050# set rules trust-to-untrust description "Dynamic PAT" [edit rulebase nat] admin@PA-5050# admin@PA-5050# set rules trust-to-untrust from trust to untrust destination any service any source any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip 188.8.131.52/30 [edit rulebase nat] admin@PA-5050# commit ....55%99%.....100% Configuration committed successfully Interface ethernet1/1 has no virtual-router configuration. Interface ethernet1/2 has no virtual-router configuration. [edit rulebase nat] admin@PA-5050#
Setup virtual-router to route packets
Create static default route by first creating virtual router, treat virtual-router like a router process, you need to include interfaces that is available for virtual-router. the virtual-router is located under
[edit rulebase nat] admin@PA-5050# top  admin@PA-5050# set network virtual-router static-route interface ethernet1/1  admin@PA-5050# set network virtual-router static-route interface ethernet1/2
Take note that
static-route is a name I defined for virtual-router, there is a
default profile which you can use if you want.
Define the default routes with the
admin@PA-5050# set network virtual-router static-route routing-table ip static-route static-default-route interface ethernet1/1 nexthop ip-address 184.108.40.206 admin@PA-5050# commit ....55%99%.....100% Configuration committed successfully  admin@PA-5050#
Take note that
static-default-route is the routing-table profile I have created, you can create any name you want.
2 thoughts on “Palo Alto Networks: NAT policy using dynamic IP and port (PAT in Cisco)”
For people who are reading this, this article is out of date. You only use command line for troubleshooting Palo Alto problems, this is the command which you may use frequently show global counter | match drop, this is because PA user interface does not show drop traffic due to asymmetric route. You rarely need to use command line in PA, command line is a thing of the past from the old school Cisco’s fan club… modern network equipment and security equipment configurations are structured (could be json or xml), no longer can you use command line and save as a text file and upload to the equipment…. my point is dun waste time to do command line anymore… the time has changed for network engineers…. learn the concept and pickup a scripting language….
Hi, We’re using PA 6.1.17 version and I don’t see any commands related to this. I get only “show global-protectcounter” command. Please assist
admin@PA(active-secondary)> show global-protectcounter | match drop