top of page
Search

Network Setup and NAT Configuration on Palo Alto Firewall

Feb 132 min read

Network Setup


You have a network setup as follows:

  • Internal Laptop (Inside Zone): 192.168.1.20 (Interface e1/2, IP: 192.168.1.2)

  • Outside Zone (Internet): e1/1, IP: 203.0.133.20

  • DMZ Server: 192.168.50.10 (DMZ Zone)

Firewall Interfaces:

  • Inside: e1/2 - 192.168.1.2

  • Outside: e1/1 - 203.0.133.20

  • DMZ: e1/3

Objective

  1. Configure Source NAT to allow the internal PC (192.168.1.20) to access the Internet using the firewall's external IP (203.0.133.20).

  2. Configure Destination NAT to allow internal users to access the DMZ Server (192.168.50.10) using 192.168.1.1.

Step 1: Configure Source NAT (Internal PC to Internet)

This allows the internal PC (192.168.1.20) to browse the Internet by translating its private IP to the firewall’s external IP.

1.1 Create a Source NAT Rule

  1. Navigate to: Policies → NAT → Add New Rule

  2. Name: SourceNAT_Inside_to_Internet

  3. Original Packet:

    • Source Zone: Inside

    • Destination Zone: Outside

    • Source Address: 192.168.1.20

    • Destination Address: Any

  4. Translated Packet:

    • Translation Type: Dynamic IP and Port (PAT)

    • Interface: e1/1

    • Translated Address: 203.0.133.20 (Firewall’s External IP)

  5. Click OK and Commit.

1.2 Create a Security Policy to Allow Internet Access

  1. Navigate to: Policies → Security → Add New Rule

  2. Name: Allow_Inside_to_Internet

  3. Source:

    • Source Zone: Inside

    • Source Address: 192.168.1.20

  4. Destination:

    • Destination Zone: Outside

    • Destination Address: Any

  5. Application: Any

  6. Service/URL Category: Any

  7. Action: Allow

  8. Click OK and Commit.

Step 2: Configure Destination NAT (Internal to DMZ Server)

This allows users in the Inside Zone to access the DMZ Server (192.168.50.10) using the NAT address 192.168.1.1.

2.1 Create a Destination NAT Rule

  1. Navigate to: Policies → NAT → Add New Rule

  2. Name: DNAT_Internal_to_DMZ

  3. Original Packet:

    • Source Zone: Inside

    • Destination Zone: Inside

    • Source Address: Any

    • Destination Address: 192.168.1.1

  4. Translated Packet:

    • Translation Type: Static NAT

    • Translated Address: 192.168.50.10 (DMZ Server IP)

  5. Click OK and Commit.

2.2 Create a Security Policy to Allow Access

  1. Navigate to: Policies → Security → Add New Rule

  2. Name: Allow_Inside_to_DMZ

  3. Source:

    • Source Zone: Inside

    • Source Address: Any

  4. Destination:

    • Destination Zone: DMZ

    • Destination Address: 192.168.50.10

  5. Application: Any (or specify service, e.g., HTTP/HTTPS if it's a web server)

  6. Service/URL Category: Any

  7. Action: Allow

  8. Click OK and Commit.

Verification Steps

Verify Source NAT

  1. From the internal PC (192.168.1.20), open a browser and try accessing an external website (e.g., www.google.com).

  2. On the Palo Alto firewall, go to Monitor → Logs → Traffic and check if the Source NAT is applied (192.168.1.20 should be translated to 203.0.133.20).

Verify Destination NAT

  1. From the internal network, open a terminal and ping 192.168.1.1.

  2. Try accessing the DMZ server (e.g., via SSH or HTTP, depending on the service running).

Tags:

 
 
 

TAgs

Categorys

bottom of page