Advanced-NAT.pptx
-
Upload
fatih-cilesiz -
Category
Documents
-
view
3 -
download
0
Transcript of Advanced-NAT.pptx
![Page 1: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/1.jpg)
Advanced NAT
![Page 2: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/2.jpg)
Agenda
• IP Pools
• One to Many destination NAT
• NAT U-Turn- 3 Zones
- 2 Zones
• Overlapping Subnets
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 2 |
![Page 3: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/3.jpg)
Source NAT Pools
• Used when more then one public address is available.
• Needed to support more then 64K out-bound sessions
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 3 |
![Page 4: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/4.jpg)
DMZ Zone
Internet Zone
One to Many destination NAT
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 4 |
SMTP Relay
192.168.10.10
Web Server
192.168.10.20
Port 8080
POP3 / IMAP
192.168.10.30
Public IP
81.23.7.22
![Page 5: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/5.jpg)
Building the NAT Policy
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 5 |
![Page 6: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/6.jpg)
Security Policy for One to Many NAT
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 6 |
# set rulebase security rules "DMZ Services" from Internet to DMZ source any destination Pub_IP-81.23.7.22 source-user any application [ pop3 smtp imap web-browsing ] service application-default action allow log-end yes
![Page 7: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/7.jpg)
User Zone
192.168.1.0/24
DMZ ZoneInternet Zone
U-Turn NAT – 3 Zones
• When internal traffic needs to access DMZ resources using public IP addresses
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 7 |
Web Server
company.com
192.168.10.20
www.company.com
81.23.7.22
http://www.company.com
![Page 8: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/8.jpg)
NAT and Security rules
• U-Turn NAT rule must go before general Internet access
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 8 |
• Security Rule is between the Users zone and the DMZ
![Page 9: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/9.jpg)
User ZoneInternet Zone
U-Turn NAT – 2 Zones
• When internal traffic needs to access local resources using public IP addresses
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 9 |
Web Server
company.com
192.168.10.20
www.company.com
81.23.7.22
http://www.company.com
User DHCP Scope: 192.168.10.100-200
![Page 10: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/10.jpg)
NAT and Security rules
• U-Turn NAT rule must go before general Internet access
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 10 |
• Security Rule is not needed in Intra-Zone traffic
![Page 11: Advanced-NAT.pptx](https://reader036.fdocuments.in/reader036/viewer/2022082715/55cf92e8550346f57b9a5372/html5/thumbnails/11.jpg)
Thank You