Destination NAT
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
- Prisma SD-WAN Incidents and Alerts
Destination NAT
Learn more about the
Prisma SD-WAN
destination NAT use
case.Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Prisma SD-WAN
destination NAT securely
permits inbound connections from the internet to access internal
private IP resources at a branch site location.One of the use cases involves physical security
monitoring services that require direct inbound connections from
the internet and outbound connections from the local device, often
implemented with a dedicated 1:1 NAT configuration.
In this example, the external system Host 1 needs to communicate
with Server 1 in the branch location across the internet. For Host
1, the IP address for the branch service is 50.50.50.2 and port
443.
Fields | Description |
---|---|
1 | A new flow source from Host 1 with a source
address of 70.70.70.70 and a destination address of 50.50.50.2. |
2 | The packet arrives at the ION device's internet
interface. It performs the policy lookup and the traffic on the
LAN path. |
3 | Place the packet onto the LAN segment and
match it against the recently created NAT Policy Rule. This
rule contains the following configuration:
The NAT Pool LAN-Services
define as 10.10.10.20 - 10.10.10.20 on the branch ION device. NAT
Pools are defined in persisting ranges and can be configured through
the NAT Policy UI or directly through the device-level interface
configuration. As the policy applies to the packet,
the original destination address is 50.50.50.2, overwrites by the NAT
Pool LAN-Services address. In this example the original packet (s)
70.70.70.70:12345: (d) 50.50.50.2:443. Is rewritten to: (s) 70.70.70.70:12345:
(d) 10.10.10.20:443. |
4 | Traffic arrives on the LAN at the server
hosting inbound services from the internet. |
5 | Sends the return traffic to the destination
of 70.70.70.70:12345. |
6 | Traffic arrives at the ION device's LAN
interface, where a translation table check is performed on the flow
to ensure that there is an active connection. |
7 | Establish the traffic onto the LAN segment,
the source IP address is rewritten from 10.10.10.10:443 to 50.50.50.2:443. If
traffic that originates from Server 1 (10.10.10.20) also needs to
be translated to 50.50.50.2 and a corresponding Source NAT Rule
is configured. |