NAT Policies
Why NAT Is Necessary
Network Address Translation (NAT) was born out of IPv4 exhaustion. The approximately 4.3 billion public IPv4 addresses would have been consumed long ago if every device needed a unique public IP. RFC 1918 reserved three address ranges for private use, and NAT allows entire organizations to share one or a small pool of public IP addresses for all outbound internet communication.
| RFC 1918 Range | CIDR Block | Total Addresses |
|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16,777,216 |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1,048,576 |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,536 |
Beyond IP conservation, NAT also provides a degree of topology hiding — external hosts cannot directly initiate connections to private addresses, since those addresses are not routable on the internet. However, NAT is not a security control and should not be treated as a substitute for firewall policy.
NAT Policy Components
A PAN-OS NAT policy rule has two main sections: the Original Packet (matching criteria) and the Translated Packet (what to change).
| Field | Section | Description |
|---|---|---|
| Source Zone | Original Packet | Zone traffic originates from |
| Destination Zone | Original Packet | Zone traffic is destined to (pre-NAT zone) |
| Destination Interface | Original Packet | Specific interface (optional) |
| Source Address | Original Packet | Pre-NAT source IP to match |
| Destination Address | Original Packet | Pre-NAT destination IP to match |
| Service | Original Packet | Protocol/port to match |
| Source Translation | Translated Packet | How to translate the source address |
| Destination Translation | Translated Packet | How to translate the destination address (for DNAT) |
Source NAT Types
Dynamic IP and Port (PAT / MASQUERADE)
This is the most common NAT type, used for corporate outbound internet access. The firewall translates thousands of internal connections to a single public IP by using unique source port numbers to distinguish sessions. Also called Port Address Translation (PAT) or masquerade.
- One public IP can support up to ~64,000 simultaneous connections
- The firewall maintains a NAT translation table mapping (private IP:port) → (public IP:port)
- Return traffic is de-NATed using the translation table
- Translated address: Interface Address or a specific IP
Dynamic IP (Pool-Based)
Rather than using port overloading, the firewall assigns a unique public IP from a pool to each internal host. When all pool IPs are in use, new connections are rejected or fall back to PAT. Useful when destination servers limit connections per source IP.
Static IP (1:1 NAT)
Static NAT creates a permanent bidirectional mapping between a private IP and a public IP. Every packet from the private host gets the same public source IP. Commonly used for servers that need a consistent public identity (e.g., a mail server where the public IP must match the PTR record for proper email delivery).
Destination NAT
Destination NAT (DNAT) translates the destination IP address of inbound packets. This is commonly called port forwarding. An external client connects to your public IP on a specific port; the firewall rewrites the destination to the internal server's private IP before forwarding.
An external user connects to 203.0.113.10:443. The NAT rule translates the destination to 10.1.1.50:443 (internal web server). The external user never knows the internal IP exists.
Security Policy Still Required
U-Turn NAT (Hairpin NAT)
U-turn NAT solves a specific scenario: internal clients trying to reach an internal server by its public IP address. Without U-turn NAT, the packet leaves the trust zone, hits the firewall, gets DNAT applied to the internal IP, and the response comes back directly from the server to the internal client — creating an asymmetric routing problem and dropping the session.
With U-turn NAT, you add a source NAT rule that also translates the source IP to the firewall interface IP when traffic matches the trust-to-trust scenario. The server sees the firewall IP as source, sends the response to the firewall, and the firewall correctly routes it back to the client.
- Create a DNAT rule: source zone trust, destination address = public IP, translate destination to internal server IP
- Create a SNAT rule: source zone trust, destination address = public IP, translate source to firewall trust interface IP (Dynamic IP+Port, Interface Address)
- Both rules must exist for u-turn NAT to work correctly
NAT Evaluation Order
Understanding when NAT is applied relative to security policy evaluation is critical and a common source of confusion:
1. Routing lookup — the firewall determines the egress interface and destination zone based on the original (pre-NAT) destination IP.
2. NAT policy lookup — the firewall finds a matching NAT rule and determines the translated addresses. The actual translation is noted but not yet applied to the packet.
3. Security policy lookup — the firewall evaluates security rules. For source NAT, the security policy sees the pre-NAT source IP. For destination NAT, the security policy sees the post-NAT destination IP and the post-NAT destination zone.
4. Packet forwarding — if security policy allows, the packet is forwarded with NAT translation applied.
Key Implication
Common NAT Scenarios
| Scenario | NAT Type | Details |
|---|---|---|
| Corporate outbound internet | Source NAT (Dynamic IP+Port) | All internal hosts share one or few public IPs for internet access |
| DMZ web server public access | Destination NAT | Public IP:443 → internal DMZ server:443 |
| Mail server with fixed public IP | Static Source NAT (1:1) | Mail server always appears as same public IP for SPF/PTR records |
| Internal access via public IP | U-turn NAT (both DNAT + SNAT) | Internal clients reach DMZ server via its public IP |
| Overlapping IPs in site-to-site VPN | Twice NAT | Both source and destination translated to resolve IP conflicts |
CLI Verification Commands
# Show active NAT rules show running nat-policy # Show NAT translation table (active NAT sessions) show session all filter nat yes # Show a specific session with NAT details show session id <id> # Test whether traffic matches a NAT rule (policy test) test nat-policy-match source-address 192.168.1.100 destination-address 8.8.8.8 to-interface ethernet1/1 # Show interface IP (useful for 'Interface Address' NAT translation) show interface ethernet1/1