NAT – Network Address Translation

With IPv4 networks NAT is fundamental for it to work without it not a whole lot of devices would be able to surf the internet. For example your broadband connection uses NAT. You are assigned a public IPv4 address from your ISP on your WAN interface of your modem which allows you to surf the internet, within your LAN (home) all the devices you have attached to your WiFi network are assigned an address most likely from the 192.168.1.0/24 range which is from the private class C subnet range. These private IP addresses are not allowed out on the public internet and if you tried to use an address from a private IP address range your ISP will have an ACL blocking its use.

The job of NAT is to translate your private IP address that has been assigned by your modem at home to your PC for example and change the IP address to its public IP address before it leaves your modem.

If we take the following example:

41381

Your PC as been given the IP address of 192.168.1.7 and you want to surf the Internet. Before you can do that NAT has to step in and change your private IP address to its public IP address using NAT or more specific PAT which is a form of NAT which stands for Port Address Translation which allows all the private IP addresses on your LAN to be translated to the single public IP address using port numbers to keep track of the different sessions from the devices in your LAN.

So NAT will translate the source IP address in the packet from 192.168.1.7 to 159.17.5.1 before sending the packet out its WAN interface towards its destination on the Internet. It will keep track of this translation in its NAT table:

  • 192.168.1.7:80 = 159.17.5.1:8000

This mapping allows the return traffic to go back to the PC that started the session. If a second PC on the LAN went out to the internet and had an IP address of 192.168.1.10 it will also be tracked in the NAT table:

  • 192.168.1.7:80 = 159.17.5.1:8000
  • 192.168.1.10:80 = 159.17.5.1:8001

The second entry has a different port number assigned to it and this is how NAT/PAT keeps track of which traffic belongs to which IP address on the LAN.

Configuring NAT on the PA-NGFW

Here I will configure NAT/PAT on the NGFW to demonstrate how it is done.

NAT is configured under the Policies Tab on the left hand side panel select NAT and then click the Add button at the bottom to get started.

Step1_NAT

A new window will pop up asking for General information, give it a meaningful name and description then click the Original Packet tab.

Step2_NAT

Under Original Packet I’ve added the following:

Step3_NAT

Under Source Zone I’ve added the Internal zone, Destination Zone will be the Internet zone and I’ve selected the Destination Interface as the Interface that I configured as the Internet interface which as an IP address 192.168.1.250. Ok so 192.168.1.250 isn’t a public IP address but in my lab environment my modem is also doing NAT to a real public IP address before any traffic is sent. So for this lab I am pretending that 192.168.1.250 is a public IP address and it will translate IP address in the 10.1.1.0/24 network to 192.168.1.250 and my home modem will then translate the 192.168.1.250 again to a real public IP address. Hope that is clear enough. Ok back to the configuration under Source Address I selected the Object I created in an earlier lab called ‘Internal 10.1.1.0 subnet’. The Destination Address will be left to ‘Any’.

Next is the Translation piece so click on Translate Packet.

Step4_NAT

I have selected the Dynamic IP and Port as the translation type as I am using PAT. The Address Type is ‘Interface Address’ and I have selected the ethernet1/1 interface which is the Internet interface and the only IP address that is associated with that interface is 192.168.1.250. Next thing to do is click Ok and that is NAT/PAT configured. Don’t forget to commit the configuration for it to take affect.

To check that it is working I have started up the Windows 10 Virtual Machine I have as part of the lab. It is configured with the IP address of 10.1.1.25. I went to http://www.paloaltonetworks.com as you can see below it was successful.

windows10

This verifies a few things that I have done in the past blog posts. It verifies that traffic from the Internal zone is allowed out the Internet zone. It also verifies that the DNS, SSL protocols are allowed based on the security policy.

We can verify that NAT is working by looking at the NAT translation rule and see the hit count has increased to 985 meaning that it is working. I can’t show you this in the logs as I don’t have the license for that but will add one and show how that is done.

NAT_Working

Any questions leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s