Source NAT Translation Types and Typical

Use Cases

Overview
Below are the available source address translation types and the typical use case for each:

Dynamic IP And Port

For a given source IP address, the Palo Alto Networks firewall will translate the source IP address or range to
a single IP address. The mapping is based on source port so multiple source IPs can share a single translated
address until the source ports have been exhausted. This is typical when only having a single public IP address
that will be shared among many private IP addresses. It is common to choose the IP address assigned to the
interface connecting to your ISP:

To add more IP addresses to the outbound pool change the address type to 'Translated Address' and add a
valid public IPs to the list. The firewall will load balance from the address pool base on each session.

Generated on 2015-03-22-07:00
1
Source NAT Translation Types and Typical Use Cases

Use the following CLI command to check the NAT pool utilization: > show running global-ippool

Dynamic IP
For a given source IP address, the firewall will translate the source IP to an IP in the pool or range defined.
The mapping is not port based which makes this a one-to-one mapping for as long as the session lasts. Each
concurrent session will utilize an address from the pool making it unavailable to other source IPs. Be aware,
when using this option because the translated pool of addresses can be exhausted if the number of internal
hosts concurrently creating outbound sessions exceed the amount of IP addresses in the dynamic pool. This
option would be used when there is more than one public IPs from the ISP, but not enough to allocate one to
each internal host on the network and only want to assign them to outbound hosts as needed. It is common to
assign a range of IP addresses to the dynamic pool:

Generated on 2015-03-22-07:00
2
Source NAT Translation Types and Typical Use Cases

To view the current NAT pool mappings for a given NAT policy run the following CLI command:
> show running nat-rule-ippool rule <NAT rule name>

Static IP
This translation type can be used to translate a single source address to a specific public address. This is
typically used when needing to expose a server (e-mail, web or any application) externally using a translated
address that will not change.

Selecting 'Yes' for Bi-directional will create the mapping in both directions based on the source\destination
zones that are specified. If 'Bi-directional' is set to 'No', then the mapping will only be created based on the
direction of the source\destination zones. Static NAT policies used for publicly exposed servers usually have
'Bi-directional' set to 'Yes', so the outbound traffic for the server will use the same address used for inbound
traffic, as shown below:

Generated on 2015-03-22-07:00
3
Source NAT Translation Types and Typical Use Cases

The Static IP mapping type can be used to translate an entire address range to a specific address range.
This will also be a one-to-one mapping. The number of source IPs using this policy must be an exact match
to the translated range. This is typically used to resolve overlapping IP ranges when merging networks. The
below policy will translate all source address with at 10.20.1.x address destine to the Corp Zone to a matching
address in the 10.30.1.x range:

owner: jteetsel

Generated on 2015-03-22-07:00
4