Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
When a client on your internal network sends a request, the source address in the
packet contains the IP address for the client on your internal network. If you use
private IP address ranges internally, the packets from the client will not be able
to be routed on the Internet unless you translate the source IP address in the
packets leaving the network into a publicly routable address.
On the firewall you can do this by configuring a source NAT policy that translates
the source address (and optionally the port) into a public address. One way to do
this is to translate the source address for all packets to the egress interface on
your firewall, as shown in the following procedure.
This task covers regular DIPP, and this task also includes
the step to enable persistent NAT for DIPP in PAN-OS 11.1.0 and earlier releases.
To enable persistent NAT for DIPP in
PAN-OS 11.1.1 and later releases, Create a Source NAT Rule with Persistent DIPP.
- Create an address object for the external IP address you plan to use.
- Select ObjectsAddresses and Add a Name and optional Description for the object.Select IP Netmask from the Type and then enter the IP address of the external interface on the firewall, 203.0.113.100 in this example.Click OK.Although you do not have to use address objects in your policies, it is a best practice because it simplifies administration by allowing you to make updates in one place rather than having to update every policy where the address is referenced.Create the NAT policy.
- Select PoliciesNAT and click Add.On the General tab, enter a descriptive Name for the policy.(Optional) Enter a tag, which is a keyword or phrase that allows you to sort or filter policies.For NAT Type, select ipv4 (default).On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone list.On the Translated Packet tab, select Dynamic IP And Port from the Translation Type list in the Source Address Translation section of the screen.For Address Type, there are two choices. You could select Translated Address and then click Add. Select the address object you just created.An alternative Address Type is Interface Address, in which case the translated address will be the IP address of the interface. For this choice, you would select an Interface and optionally an IP Address if the interface has more than one IP address.Click OK.Commit your changes.Click Commit.(PAN-OS 11.1.0 and earlier releases) Enable persistent NAT for DIPP. (Skip this step for regular DIPP.)
- Access the CLI.>set system setting persistent-dipp enable yes>request restart systemIf you have HA configured, repeat this step on the other HA peer.(Optional) Verify the translation.
- Use the show session all command to view the session table, where you can verify the source IP address and port and the corresponding translated IP address and port.Use the show session id <id_number> to view more details about a session.If you configured Dynamic IP NAT, use the show counter global filter aspect session severity drop | match nat command to see if any sessions failed due to NAT IP allocation. If all of the addresses in the Dynamic IP NAT pool are allocated when a new connection is supposed to be translated, the packet will be dropped.