Destination NAT Configuration on Palo Alto Firewall

May 14, 2025

Configuring and Verifying Destination NAT on Palo Alto Firewall

Overview

  • The lecture focuses on configuring and verifying Destination NAT (Network Address Translation) on a Palo Alto firewall.
  • Builds upon existing configurations in the 0-60 playlist.

Network Setup

  • Interface Configuration:
    • Using interface 1/2 for connection to the network 10.30.0.0 (24-bit mask).
    • Associate interface with the DMZ Zone.
    • Configure a Windows Server at 10.30.0.100 running IIS for web services.

Concept of Destination NAT

  • Destination NAT: Swaps destination IP address of initial traffic flow.
    • Example:
      • Client on the internet connects to a server in the DMZ using a global address (e.g., 23.1.2.100).
      • The firewall changes the destination IP from 23.1.2.100 to 10.30.0.100.
      • The server replies back, and the address is reverted to the original global address.

Configuration Steps

1. Setting Up the Interface

  • Navigate to Network > Interfaces.
  • Create Ethernet 1/2 as a layer 3 interface, associate with relevant virtual router, and create a new DMZ Zone.
  • Configure IPv4 address 10.30.0.19 with a 24-bit mask.
  • Make sure to connect the interface to the correct VLAN supporting 10.30.0.0 network.

2. Configuring Destination NAT

  • Navigate to Policies and add a new destination NAT rule.
  • Name the rule: DNAT for Server.
  • Original Packet Settings:
    • Source Zone: Outside Zone
    • Destination Address: 23.1.2.100
    • Destination Zone: Outside Zone
    • Destination Interface: Service Provider A on Ethernet 1/4
    • Destination Address Translation to: 10.30.0.100.

3. Creating Security Policy Rule

  • Create a new security policy rule to permit traffic to the DMZ.
  • Name the rule: Permit to Server on DMZ.
  • Source Tab:
    • Use pre-NAT information (clients from the internet).
  • Destination Tab:
    • Use pre-NAT IP (23.1.2.100) and set the post-NAT Zone to DMZ.
  • Applications Allowed:
    • Ping
    • SSL (HTTPS)
    • Web Browsing (HTTP)
  • Set actions to allow traffic.

Testing Configuration

  • Commit changes and ensure the interface is up.
  • From a client (Linux Computer), test connectivity:
    • Ping to 23.1.2.100: Successful.
    • Open browser and navigate to 23.1.2.100: Should display the IIS default page.

Summary

  • Successfully configured a DMZ, set up a destination NAT rule, and established security policy to allow external traffic to reach the server in the DMZ.

Full transcript