PCNSA 2.10

April 9, 2021
| No Comments

Given a scenario, identify and implement the proper NAT solution.

Palo Alto Networks PCNSA Study Guide v10

NAT Types

There are two basic types of NAT. They are source NAT (SNAT) and destination NAT (DNAT). SNAT replaces the source IP of the packet such as when replacing an RFC 1918 address with a public IP to send traffic to the Internet.

DNAT is used to replace the destination IP of the packet. This can be used to allow traffic destined for an Internet facing service to be translated from a public IP to an internal address.

Source NAT Types

  • Static IP: The same IP is always used for the translation and no port information is changed.
  • Dynamic IP: The source IP is changed to the next available in the pool and is transient.
  • Dynamic IP and Port (DIPP): The source IP is the same for all sessions, but the port is dynamically changed to allow for overloading.

Source NAT and Security Policies

When referencing addresses that have been altered by SNAT in a security policy you use the pre-NAT IP and the post-NAT zone.

Configuring Bidirectional SNAT

In static SNAT, the bidirectional NAT option enables a corresponding translation in the opposite direction. If enabled, care must be taken that the security policy rules are in place for both directions. Without a security policy bidirectional NAT allows packets to be translated automatically both directions.

DIPP NAT Oversubscription

DIPP NAT Oversubscription is the number of times the same translated IP and port pair can be used concurrently. Oversubscription assumes different destinations in each translation. Platform default turns off oversubscription and uses the firewall model’s default. 1x means no oversubscription.

Destination NAT Types

  • Static: The destination IP is statically changed to a set IP.
  • Dynamic IP (with session distribution): Using a FQDN for the translation the firewall will dynamically assign the translation using the DNS entry for the FQDN.

Destination NAT and Security Policies

Like SNAT, DNAT referenced IPs in security policies are “pre-NAT IP; post NAT zone”.

Blog, Certification, Palo Alto, PCNSA
| Tags: , ,