Palo Alto Networks: NAT policy using dynamic IP and port (PAT in Cisco)

Dynamic NAT translation using IP and port
To enable one single routed interface IP address to be reused for translation several time, the layer4 information is attached to the source address.

This can be easily done in web interface, in CLI however it is quite hard to find the hierarchy. NAT is under the rulebase hierarchy.

How to configure dynamic port NAT

admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# edit rulebase nat
[edit rulebase nat]
admin@PA-5050# set rules trust-to-untrust description "Dynamic PAT"

[edit rulebase nat]
admin@PA-5050# admin@PA-5050# set rules trust-to-untrust from trust to untrust destination any service any source any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip 200.1.1.1/30

[edit rulebase nat]
admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully
Interface ethernet1/1 has no virtual-router configuration.
Interface ethernet1/2 has no virtual-router configuration.

[edit rulebase nat]
admin@PA-5050#

Setup virtual-router to route packets
Create static default route by first creating virtual router, treat virtual-router like a router process, you need to include interfaces that is available for virtual-router. the virtual-router is located under network hierarchy.

[edit rulebase nat]
admin@PA-5050# top
[edit]
admin@PA-5050# set network virtual-router static-route interface ethernet1/1

[edit]
admin@PA-5050# set network virtual-router static-route interface ethernet1/2

Take note that static-route is a name I defined for virtual-router, there is a default profile which you can use if you want.

Define the default routes with the static-route profile.

admin@PA-5050# set network virtual-router static-route routing-table ip static-route static-default-route interface ethernet1/1 nexthop ip-address 200.1.1.2

admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

Take note that static-default-route is the routing-table profile I have created, you can create any name you want.

Advertisements
This entry was posted in Firewall, Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s