Lecture Notes: Configuring and Verifying Destination NAT on Palo Alto Firewall

Introduction

New Interface: Ethernet 1/2 connected to Network 10.30.0.0 with a 24-bit mask.
- Zone: DMZ
- Server Address: 10.30.0.100 (Windows Server running IIS)

Definition: Destination NAT swaps the destination IP address of incoming traffic.
Initial Flow of Traffic:
- Client on the internet connects to a global address (e.g., 23.1.2.100).
- Firewall translates this to the internal server address (10.30.0.100).
Reply Traffic: Returned to original global address after translation.

Setup the Interface:
- Go to Network > Interfaces > Ethernet 1/2.
- Set interface type to Layer 3, associate with the DMZ zone.
- Configure IPv4 address: 10.30.0.19/24.
- Associate management profile for connectivity testing.
Configure Destination NAT Rule:
- Go to Policies > NAT.
- Add Destination NAT Rule:
  - Name: DNAT for Server
  - Original Packet:
    - Source Zone: Outside
    - Destination Address: 23.1.2.100
    - Destination Zone: Outside
    - Destination Interface: Service Provider A (Ethernet 1/4)
    - Translation: Static IP to 10.30.0.100.
Configure Security Policy Rule:
- Go to Policies > Security.
- Add Security Policy:
  - Name: Permit to Server on DMZ
  - Source: Pre-NAT information (Any from Outside)
  - Destination: 23.1.2.100 (Pre-NAT) with Post-NAT Zone as DMZ.
  - Applications Allowed: Ping, SSL, Web Browsing (HTTP).
Commit Configuration:
- Ensure all configurations are correct and commit changes.
- Verify that Ethernet 1/2 is connected to VLAN 30.

Test from Client:
- Client IP: 23.1.2.61 (Linux Computer).
- Ping Test: Ping global address 23.1.2.100 (should respond).
- HTTP Test: Open browser and navigate to 23.1.2.100 (should display IIS default page).

Successfully set up DMZ, destination NAT rule, and necessary security policy.
All tests confirmed traffic flowing correctly from the client to the DMZ server.
Looking forward to future videos on similar topics.