Lab 6: Static Nat implementation

Lesson 6/10 | Study Time: 60 Min

Course: Palo Alto Lab Guide: Mastery on Firewall

Task

1.1 Configure only PaloAlto01 as shown in Lab 1 before configuring this Lab 6.

1.2 Create VLAN 172 and VLAN 100 on Switch SW01 and assign Interfaces Eth1/1, Eth0/0, Eth0/1 in access VLAN 172 and Interfaces Eth1/2 and Eth0/2 in access VLAN 100

1.3 On PaloAlto01 assign IP address 172.16.1.1/24 on Interface Eth1/1 and IP address 100.0.0.1/24 on Interface Eth1/2.

1.4 Create network objects for dmz servers and dynamic mapped address which have ip address range is 172.16.1.10-11 and 200.0.0.10-12 respectively.

1.5 Make sure internal-dmz server can communicate with internet using global ip address range 200.0.0.10-12

1.6 Verification of Nat from DMZ-server.

Explanation

Network address translation (NAT) was designed to address the depletion of the IPv4 address space. Since then NAT is not only used to conserve available IP addresses, but also as a security feature to hide the real IP addresses of hosts, securely providing private LAN users access to the public addresses. NAT is also sometimes used to solve network design challenges, enabling networks with identical IP subnets communicate with each other.

NAT with PAN-OS

PAN-OS provides a mechanism for translating both the source IP addresses/port numbers and destination IP addresses/port numbers. PAN-OS uses rules to configure NAT. These rules are separate entities, and not configured as part of the allow/drop security rules. NAT rules are configured to match on:

• Source and destination zone

• Destination interface (optional)

• Source and destination addresses

• Service

The configurable fields in the NAT rule are as follow

There can be multiple NAT rules configured on a PAN-OS device. NAT rules are evaluated top down like security rules.Once a packet matches a NAT rule, any other NAT rules configured are skipped for processing. Therefore, more specific

NAT rules must be at the top to the rule list.

The translated addresses are determined after a packet matches the NAT rule. It is very important to note that the IP address and port translation happens only when the packet egresses the firewall. Hence the NAT rules and security rules always refer to the original IP addresses in the packet (i.e. the pre-NAT addresses).

Address Pools:-In PAN-OS, the IP address (also commonly referred to as IP address pools) used for address translation is configured as an address object. The address object can be a host IP address, IP subnet or IP address range. Because the address objects are used both in the security policies and NAT rules, it is recommended to use names that identify the address objects specifically used as NAT address pools. For example the names of address objects used in NAT rules begin with prefix “NAT-<name>”.

Proxy-ARP for NAT Pools:- The address pools are not bound to any interfaces. If the address pool is in the same subnet as the egress/ingress interface IP address, the firewall will respond to ARP requests received on that interface for the IP addresses configured in the pool. If the address pool is not in the same subnet as the egress interface IP address, you must configure the necessary routes on the upstream devices in order to ensure the response traffic after address translation is routed back to the firewall.

Source NAT:-PAN-OS supports the following options for source translation:

• Dynamic-ip-and-port

• Dynamic-ip

• Static IP

Dynamic-ip-and-port:-This method allows for translation of the source IP address and port numbers to:

• Interface IP address

• IP address

• IP subnet

• Range of IP addresses

Dynamic-ip:-This method allows for translation of only the source IP address to:

• IP address

• IP subnet, or

• Range of IP addresses

The size of the dynamic-ip pool defines the number of the hosts that can be translated. If all the IP addresses in the dynamic-ip pool are used, any new connections that require address translation will be dropped. As sessions terminate, and IP addresses in the pool become available, these addresses can be used to translate new connections.

Note: Dynamic-IP does not guarantee IP addresses reservation by default.

Configuration

We are going to implement Dynamic Nat for internal DMZ server which have ip address is 172.16.1.10,172.16.1.10 and Nat it on public ip range 200.0.0.10-12 so first we have to create four object to add with Nat policy click on object

Now click on address and then click on add

Here we gave name is DMZ_server_lan and its ip address of internal DMZ-server and its ip address is 172.16.1.10-172.16.1.11 and then click on OK

Now similarly we have to add for another objects

Here we mentioned name is dynamic_mapped_IP and ip address is 200.0.0.10-12

Here we can see all objects which we created. Now click commit to push the configuration to the device.

Before going to NAT configuration first configure Interface Ethernet 1/1 and Ethernet 1/2 with interface type Layer 3, and assign zones and Ip address, for ip addressing select objects we have already created.

Configuration shown below and don’t forget to commit the configurations.

Now we have create a NAT policy so click on policy then click on NAT

Click on add then we gave name is Dynamic_NAT now click on original packet

Here we selected source zone is inside and destination zone is outside and internal source is dmz_server_lan object and destination is any as shown below

here we selecting nat type is dynamic ip

Then we added translated address is Dynamic_IP_pool then click on ok Here we can check our rule

Create one policy in under Policy Tab and then click Security tab and create one policy with name policy1 for traffic to be move from one zone to another make source any and destination any as shown below.