Destination NAT is performed on incoming packets when
the firewall translates a destination address to a different destination
address; for example, it translates a public destination address
to a private destination address. Destination NAT also offers the
option to perform port forwarding or port translation.
Destination NAT allows static and dynamic translation:
Static IP—You can configure a one-to-one, static translation in
several formats. You can specify that the original packet have a
single destination IP address, a range of IP addresses, or an IP
netmask, as long as the translated packet is in the same format
and specifies the same number of IP addresses. The firewall statically
translates an original destination address to the same translated
destination address each time. That is, if there is more than one
destination address, the firewall translates the first destination
address configured for the original packet to the first destination
address configured for the translated packet, and translates the
second original destination address configured to the second translated
destination address configured, and so on, always using the same
translation.
If you use destination NAT to translate a static
IPv4 address, you might also use DNS services on one side of the
firewall to resolve FQDNs for a client on the other side. When the
DNS response containing the IPv4 address traverses the firewall,
the DNS server provides an internal IP address to an external device,
or vice versa. Beginning with PAN-OS 9.0.2 and in later 9.0 releases,
you can configure the firewall to rewrite the IP address in the
DNS response (that matches the rule) so that the client receives
the appropriate address to reach the destination service. The applicable DNS rewrite use
case determines how you configure such a rewrite.
Dynamic IP (with session distribution)—Destination
NAT allows you to translate the original destination address to
a destination host or server that has a dynamic IP address,
meaning an address object that uses an FQDN, which can return multiple
addresses from DNS. Dynamic IP (with session distribution) supports IPv4
addresses only. Destination NAT using a dynamic IP address is especially
helpful in cloud deployments that use dynamic IP addressing.
If
the translated destination address resolves to more than one address,
the firewall distributes incoming NAT sessions among the multiple
addresses to provide improved session distribution. Distribution
is based on one of several methods: round-robin (the default method),
source IP hash, IP modulo, IP hash, or least sessions. If a DNS
server returns more than 32 IPv4 addresses for an FQDN, the firewall
uses the first 32 addresses in the packet.
If the translated
address is an address object of type FQDN that resolves to only
IPv6 addresses, the destination NAT policy rule considers the FQDN
as unresolved.
Using Dynamic IP (with session
distribution) allows you to translate multiple pre-NAT
destination IP addresses M to multiple post-NAT destination
IP addresses N. A many-to-many translation means there
can be M x N destination NAT translations
using a single NAT rule.
For destination NAT, the best practice
is to:
Use Static IP address translation
for static IP addresses, which allows the firewall to check and
ensure that the number of original destination IP addresses equals
the number of translated destination IP addresses.
Use Dynamic IP (with session distribution) address
translation only for FQDN-based dynamic addresses (the firewall
does not perform an IP address number check).
The following are common examples of destination NAT translations
that the firewall allows:
Translation Type
Original Packet’s Destination Address
Maps to Translated Packet’s Destination Address
Notes
Static IP
192.168.1.1
2.2.2.2
Original packet and translated packet each
have one possible destination address.
192.168.1.1-192.168.1.4
2.2.2.1-2.2.2.4
Original packet and translated packet each
have four possible destination addresses:
192.168.1.1 always maps
to 2.2.2.1
192.168.1.2 always maps to 2.2.2.2
192.168.1.3
always maps to 2.2.2.3
192.168.1.4 always maps to 2.2.2.4
192.168.1.1/30
2.2.2.1/30
Original packet and translated packet each
have four possible destination addresses:
192.168.1.1 always maps
to 2.2.2.1
192.168.1.2 always maps to 2.2.2.2
192.168.1.3
always maps to 2.2.2.3
192.168.1.4 always maps to 2.2.2.4
Dynamic IP (with session distribution)
192.168.1.1/30
domainname.com
Original packet has four destination addresses
and if, for example, the FQDN in the translated destination address resolves
to five IP addresses, then there are 20 possible destination NAT
translations in a single NAT rule.
One common use for destination NAT is to configure several NAT
rules that map a single public destination address to several private
destination host addresses assigned to servers or services. In this
case, the destination port numbers are used to identify the destination
hosts. For example:
Port Forwarding—Can translate a public destination
address and port number to a private destination address but keeps
the same port number.
Port Translation—Can translate a public destination
address and port number to a private destination address and a different
port number, thus keeping the actual port number private. The port
translation is configured by entering a Translated Port on
the Translated Packet tab in the NAT policy
rule. See the Destination
NAT with Port Translation Example.
