Palo Alto Networks Network Address Translation
For Dummies
Alberto Rivai, CCIE, CISSP
Senior Systems Engineer
ANZ
NAT Example 1 static destination NAT
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT Policy
Security Policy
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example 1
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Internal
Internet
Untrust zone
Trust zone
172.17.1.40
102.100.88.90
Example 2
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Security Policy
NAT Policy
Example 2
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DMZ
Internal
Internet
Untrust zone
Trust zone
DMZ zone
104.150.226.0/24
172.17.1.39
Flow Logic of the Next-Generation Firewall
Initial Packet Processing
Source Zone/ Address/ User-ID
PBF/ Forwarding
Lookup Destination
Zone NAT Policy Evaluated
Security Pre-Policy
Check Allowed
Ports Session Created
Application Check for Encrypted
Traffic Decryption
Policy Application Override
Policy App-ID
Security Policy
Check Security Policy
Check Security Profiles
Post Policy Processing
Re-Encrypt Traffic
NAT Policy Applied
Packet Forwarded
6 | ©2014, Palo Alto Networks. Confiden@al and Proprietary
NAT Example 1 static destination NAT
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT Policy
Security Policy
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90 1
PANOS Zone and IP Address Processing flow
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone Untrust
Source Address Any
Destination Address
102.100.88.90
1
2
PANOS Zone and IP Address Processing flow
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone Untrust
Source Address Any
Destination Address
102.100.88.90
NAT rulebase checked for a matching rule
1
2
3
PANOS Zone and IP Address Processing flow
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone Untrust
Source Address Any
Destination Address
102.100.88.90
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
102.100.88.90
1
2
3
4
PANOS Zone and IP Address Processing flow
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone Untrust
Source Address Any
Destination Address
102.100.88.90
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
102.100.88.90
Security rulebase checked for a matching rule
1
2
3
4
5
PANOS Zone and IP Address Processing flow
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone Untrust
Source Address Any
Destination Address
102.100.88.90
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
102.100.88.90
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
1
2
3
4
5
6
PANOS Zone and IP Address Processing flow
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone Untrust
Source Address Any
Destination Address
102.100.88.90
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
102.100.88.90
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
Source Address Any
Destination Address
172.16.1.40
1
2
3
4
5
6
7
PANOS Zone and IP Address Processing flow
Example 2
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Security Policy
NAT Policy
DMZ
Internal
Internet
Untrust zone
Trust zone DMZ zone
104.150.226.0/24
172.17.1.39
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80 1
PANOS Zone and IP Address Processing flow
17 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
1
2
PANOS Zone and IP Address Processing flow
Source Zone Untrust
Destination
Zone DMZ
Source Address Any
Destination Address
104.160.226.80
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone DMZ
Source Address Any
Destination Address
104.160.226.80
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
1
2
3
PANOS Zone and IP Address Processing flow
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone DMZ
Source Address Any
Destination Address
104.160.226.80
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
104.160.226.80
1
2
3
4
PANOS Zone and IP Address Processing flow
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone DMZ
Source Address Any
Destination Address
104.160.226.80
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
104.160.226.80
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
1
2
3
4
5
6
PANOS Zone and IP Address Processing flow
21 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone DMZ
Source Address Any
Destination Address
104.160.226.80
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
104.160.226.80
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
1
2
3
4
5
6
PANOS Zone and IP Address Processing flow
22 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source Address Any
Destination Address
104.160.226.80
PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from
Source Zone Untrust
Destination
Zone DMZ
Source Address Any
Destination Address
104.160.226.80
NAT rulebase checked for a matching rule
PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary
Source Zone Untrust
Destination
Zone Trust
Source Address Any
Destination Address
104.160.226.80
Security rulebase checked for a matching rule
Source and/or Destination IP address re-written per NAT rules
Source Address Any
Destination Address
172.16.1.39
1
2
3
4
5
6
7
PANOS Zone and IP Address Processing flow
NAT Policy Logic
§ Source and Destination zones on NAT policy are evaluated pre-NAT based on the routing table § Example 1: if you are translating traffic that is incoming to an internal server (which
is reached via a public IP by Internet users), it is necessary to configure the NAT policy using the zone in which the public IP address resides.
§ Example 2 :if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users and that public IP is routed to a DMZ zone), it is necessary to configure the NAT policy using the DMZ zone
§ Original IP addresses are ALWAYS used with rules, no matter which policy. Why ? Because address translation does not actually happen until the packet egresses the firewall.
§ The ONLY zone that may change from the original packet during processing is the Destination Zone.
Destination NAT Policy configuration
24 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The zone where the source ip coming from
( i.e internet zone )
The zone of the natted IP. To check which zone, execute
the below command “show routing route
destination <natted ip subnet/mask>”, then check interface’s
zone
Original source address
Natted IP
Real IP
Source NAT
§ PAN-OS supports the following options for source translation: § Dynamic-ip-and-port (DIPP) § Dynamic-ip (DIP) § Static IP
25 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIP NAT
§ In this form of NAT, the original source port number is left intact. Only the source IP address will be translated.
§ When using the dynamic-ip type of source NAT, the size of the NAT pool must be equal to the number of the internal hosts that require address translation. If all the IP addresses in the pool are in use, any connections from new hosts cannot be address translated and hence will be dropped. New sessions from hosts with established sessions with NAT will be allowed.
26 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIPP NAT
§ For translating both the source IP address AND port numbers, DIPP ( dynamic IP and port ) type of translation must be used
§ This form of NAT is also commonly referred to as interface-based NAT or network address port translation ( NAPT )
§ On Cisco routers § NAT Overload
§ Juniper Netscreen § PAT
27 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Translated IPs
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
When do we need oversubscription
§ use case 1 § When you have an “X” number of public IP and need more than “X” x 64511 NAT
sessions
29 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT capacity ( PA3050)
30 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Maximum NAT rules combined ( Static, DIP and
DIPP ) Maximum Static NAT
Maximum DIP NAT
Maximum DIPP NAT Maximum DIP IPs Maximum DIPP IPs
with oversubscription off ( 1x )
Default oversubscription
( source IP and port being reused 2x,
different destination IP )
800
DIPP oversubscription
§ Useable # ports : § 65535 – 1024 = 64511
§ Example maximum number of PA3050 NAT DIPP sessions § Default DIPP oversubscription for PA3050 is 2x § If you are using 1 public IP and use default DIPP oversubscription 2x
§ 1 x 64511 x 2 = 129,022 NAT sessions § Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used
§ ( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions § This is assuming all sessions going to different destinations
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 1x
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 8x
33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT CLI Command
§ Check DIPP/DIP rule capacity
34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
36 | ©2014, Palo Alto Networks. Confidential and Proprietary.