Advanced-NAT.pptx

Advanced NAT

Agenda

• IP Pools

• One to Many destination NAT

• NAT U-Turn- 3 Zones

- 2 Zones

• Overlapping Subnets

© 2009 Palo Alto Networks. Proprietary and Confidential |

Source NAT Pools

• Used when more then one public address is available.

• Needed to support more then 64K out-bound sessions


DMZ Zone

Internet Zone

One to Many destination NAT


SMTP Relay

192.168.10.10

Web Server

192.168.10.20

Port 8080

POP3 / IMAP

192.168.10.30

Public IP

81.23.7.22

Building the NAT Policy


Security Policy for One to Many NAT


# set rulebase security rules "DMZ Services" from Internet to DMZ source any destination Pub_IP-81.23.7.22 source-user any application [ pop3 smtp imap web-browsing ] service application-default action allow log-end yes

User Zone

192.168.1.0/24

DMZ ZoneInternet Zone

U-Turn NAT – 3 Zones

• When internal traffic needs to access DMZ resources using public IP addresses


Web Server

company.com

192.168.10.20

www.company.com

81.23.7.22

http://www.company.com

NAT and Security rules

• U-Turn NAT rule must go before general Internet access


• Security Rule is between the Users zone and the DMZ

User ZoneInternet Zone

U-Turn NAT – 2 Zones

• When internal traffic needs to access local resources using public IP addresses


Web Server

company.com

192.168.10.20

www.company.com

81.23.7.22

http://www.company.com

User DHCP Scope: 192.168.10.100-200

NAT and Security rules

• U-Turn NAT rule must go before general Internet access


• Security Rule is not needed in Intra-Zone traffic

Thank You

Advanced-NAT.pptx

Documents

Transcript of Advanced-NAT.pptx