Sei sulla pagina 1di 36
Palo Alto Networks Network Address Translation For Dummies Alberto Rivai, CCIE, CISSP Senior Systems Engineer
Palo Alto Networks
Network Address Translation
For Dummies
Alberto Rivai, CCIE, CISSP
Senior Systems Engineer
ANZ
NAT Example 1 static destination NAT NAT Policy Security Policy 2 | ©2014, Palo Alto
NAT Example 1 static destination NAT
NAT Policy
Security Policy
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example 1 Internet 102.100.88.90 Untrust zone Trust zone Internal 172.17.1.40 3 3 | ©2014, Palo
Example 1
Internet
102.100.88.90 Untrust zone
Trust zone
Internal
172.17.1.40
3 3
| ©2014, Palo Alto Networks. Confidential and Proprietary.
| ©2014, Palo Alto Networks. Confidential and Proprietary.
Example 2 NAT Policy Security Policy 4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example 2
NAT Policy
Security Policy
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example 2 Internet Untrust zone DMZ DMZ zone Trust zone 104.150.226.0/24 Internal 172.17.1.39 5 |
Example 2
Internet
Untrust zone
DMZ
DMZ zone
Trust zone
104.150.226.0/24
Internal
172.17.1.39
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Flow Logic of the Next-Generation Firewall PBF/ Initial Packet Processing Source Zone/ Address/ User-ID NAT
Flow Logic of the Next-Generation Firewall
PBF/
Initial Packet
Processing
Source Zone/
Address/
User-ID
NAT Policy
Destination
Forwarding
Zone
Evaluated
Lookup
Security
Check
Session
Allowed
Created
Pre-Policy
Ports
Check for
Application
Decryption
Application
Encrypted
Override
App-ID
Policy
Traffic
Policy
Check
Check
Security
Security
Security
Policy
Policy
Profiles
Post Policy
Processing
Re-Encrypt
NAT Policy
Packet
Traffic
Applied
Forwarded
6 | ©2014, Palo Alto Networks. Confiden@al and Proprietary
NAT Example 1 static destination NAT NAT Policy Security Policy 7 | ©2014, Palo Alto
NAT Example 1 static destination NAT
NAT Policy
Security Policy
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 8
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
8
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Untrust
102.100.88.90
9
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Untrust
102.100.88.90
3
NAT rulebase checked for a matching rule
10
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Untrust
102.100.88.90
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
102.100.88.90
11
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Untrust
102.100.88.90
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
102.100.88.90
5
Security rulebase checked for a matching rule
12
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Untrust
102.100.88.90
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
102.100.88.90
5
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
6
13
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 102.100.88.90 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Untrust
102.100.88.90
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
102.100.88.90
5
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
6
Destination
Source Address
7
Address
Any
172.16.1.40
14
| ©2014, Palo Alto Networks. Confidential and Proprietary.
Example 2 NAT Policy Security Policy Internet Untrust zone DMZ DMZ zone Trust zone 104.150.226.0/24
Example 2
NAT Policy
Security Policy
Internet
Untrust zone
DMZ
DMZ zone
Trust zone
104.150.226.0/24
Internal
172.17.1.39
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 16
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
16
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
DMZ
104.160.226.80
17
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
DMZ
104.160.226.80
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
Changes Destination Zone if necessary
18
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
DMZ
104.160.226.80
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
104.160.226.80
19
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
DMZ
104.160.226.80
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
104.160.226.80
5
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
6
20
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
DMZ
104.160.226.80
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
104.160.226.80
5
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
6
21
| ©2014, Palo Alto Networks. Confidential and Proprietary.
PANOS Zone and IP Address Processing flow Destination Source Address Address 1 Any 104.160.226.80 PANOS
PANOS Zone and IP Address Processing flow
Destination
Source Address
Address
1
Any
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress;
Assigns Destination Zone based on interface packet would egress from
2
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
DMZ
104.160.226.80
3
NAT rulebase checked for a matching rule
PANOS checks
the interface the packet will egress from;
4
Changes Destination Zone if necessary
Destination
Destination
Source Zone
Source Address
Zone
Address
Untrust
Any
Trust
104.160.226.80
5
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
6
Destination
Source Address
7
Address
Any
172.16.1.39
22
| ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT Policy Logic §  Source and Destination zones on NAT policy are evaluated pre-NAT based
NAT Policy Logic
§ 
Source and Destination zones on NAT policy are evaluated pre-NAT based
on the routing table
§ 
§ 
Example 1: if you are translating traffic that is incoming to an internal server (which
is reached via a public IP by Internet users), it is necessary to configure the NAT
policy using the zone in which the public IP address resides.
Example 2 :if you are translating traffic that is incoming to an internal server (which
is reached via a public IP by Internet users and that public IP is routed to a DMZ
zone), it is necessary to configure the NAT policy using the DMZ zone
§ 
Original IP addresses are ALWAYS used with rules, no matter which policy.
Why ? Because address translation does not actually happen until the packet
egresses the firewall.
§ 
The ONLY zone that may change from the original packet during processing is
the Destination Zone.
Destination NAT Policy configuration The zone of the natted IP. To check which zone, execute
Destination NAT Policy configuration
The zone of the natted IP. To
check which zone, execute
the below command
“show routing route
destination <natted ip subnet/
mask>”, then check interface’s
zone
Natted IP
The zone where the
source ip coming from
( i.e internet zone )
Original source
Real IP
address
24 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source NAT §  PAN-OS supports the following options for source translation: §  §  §  Dynamic-ip-and-port
Source NAT
§ 
PAN-OS supports the following options for source translation:
§ 
§ 
§ 
Dynamic-ip-and-port (DIPP)
Dynamic-ip (DIP)
Static IP
25 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIP NAT §  In this form of NAT, the original source port number is left
DIP NAT
§ 
In this form of NAT, the original source port number is left intact. Only the
source IP address will be translated.
§ 
When using the dynamic-ip type of source NAT, the size of the NAT pool must
be equal to the number of the internal hosts that require address translation. If
all the IP addresses in the pool are in use, any connections from new hosts
cannot be address translated and hence will be dropped. New sessions from
hosts with established sessions with NAT will be allowed.
26 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIPP NAT §  For translating both the source IP address AND port numbers, DIPP (
DIPP NAT
§ 
For translating both the source IP address AND port numbers, DIPP ( dynamic
IP and port ) type of translation must be used
§ 
This form of NAT is also commonly referred to as interface-based NAT or
network address port translation ( NAPT )
§ 
On Cisco routers
§ 
NAT Overload
§ 
Juniper Netscreen
§ 
PAT
27 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Translated IPs 28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Translated IPs
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
When do we need oversubscription §  use case 1 §  When you have an “X”
When do we need oversubscription
§ 
use case 1
§ 
When you have an “X” number of public IP and need more than “X” x 64511 NAT
sessions
29 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT capacity ( PA3050) Maximum NAT rules combined ( Static, DIP and DIPP ) Maximum
NAT capacity ( PA3050)
Maximum NAT rules
combined ( Static, DIP and
DIPP )
Maximum Static NAT
Maximum DIP NAT
800
Maximum DIPP
Default
oversubscription
( source IP and port
being reused 2x,
different destination
IP )
NAT
Maximum DIP IPs
Maximum DIPP IPs
with oversubscription
off ( 1x )
30 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIPP oversubscription §  Useable # ports : §  65535 – 1024 = 64511 §  Example
DIPP oversubscription
§ 
Useable # ports :
§ 
65535 – 1024 = 64511
§ 
Example maximum number of PA3050 NAT DIPP sessions
§ 
§ 
Default DIPP oversubscription for PA3050 is 2x
If you are using 1 public IP and use default DIPP oversubscription 2x
§  1 x 64511 x 2 = 129,022 NAT sessions
§ 
Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used
§  ( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions
§  This is assuming all sessions going to different destinations
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 1x 32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 1x
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 8x 33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 8x
33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT CLI Command §  Check DIPP/DIP rule capacity 34 | ©2014, Palo Alto Networks. Confidential
NAT CLI Command
§ 
Check DIPP/DIP rule capacity
34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
36 | ©2014, Palo Alto Networks. Confidential and Proprietary.
36 | ©2014, Palo Alto Networks. Confidential and Proprietary.