NTI ECHO 2019 TROUBLESHOOT HOW TO
Why does the NAT device change the original source port to something else? Well imagine if both Host A and Host C send packets with the same source port, the translation table entries are going to be the same for Host A and Host C and the NAT device wouldn't know how to translate back for the return traffic.įirst of all, let's explore the type of NAT that PAN-OS supports: The NAT device changes the source IP addresses AND the source ports to its own address and port number, then sends the packets to the destination. Can't we just get along and come up with the same name :)īy now, you kind of get the feeling where this leads to.
Cisco calls this as "Overloading", Juniper calls this "PAT", Palo Alto Networks calls this "DIPP", others call this Interface based NAT, NAPT, etc.
This is where Dynamic IP and Port Translation comes to the rescue ! Different vendors have a different name for this type of translation. This "less than many" is sometimes equal to one IP address. The reality is you would want to translate many private IP addresses to "less than many" Internet routable IP addresses. Talking about using NAT on the internet perimeter, yeah, that one-to-one NAT only works if you have enough Internet routable IP addresses to translate all your private IP addresses. Yes, this is the common use case, but there are other use cases that require NAT to be present, such as communication between overlapping internal networks. There is also a misconception that we use NAT only on the internet perimeter to translate RFC1918 private IP addresses to one or multiple Internet routable IP addresses. That's great, but so far in our example we have one host behind the NAT device being translated to one IP address. In the diagram below, I have Host A on Network A sending a HTTP request (on TCP port 80) and DNS request ( on UDP port 53) to Host B on Network B. Now, let's get back to the technical talk and at look how this translation device actually works. Yes, NAT is a given now, even my iPhone can do NAT, but we cannot, I reiterate, cannot rely on NAT to provide security ! If you'd like to read a comprehensive history of NAT, I suggest this amazing article by Lixia Zhang The so-called "firewall" was a by-product of NAT itself.Īs a network security engineer, I strongly believe we must not forget what NAT was intended for.
As you can see from the RFC and John Mayes' article, NAT was originally designed to solve IP address depletion by changing IP addresses and was never intended to solve security issues. Private Internet Exchange, yes, the famous PIX firewall, was originally designed as a network translation device ( ). There was no concrete proof who invented Network Address Translation ( from now on, I will use the abbreviation, NAT), but the first ever commercially viable NAT device was created by John Mayes, Brantley Coile and Johnson Wu. Five engineers collaborated on a paper which became known as RFC 1287 ( ). In this article, I'll explain how NAT works on Palo Alto Networks firewall and hopefully it will be detailed enough to understand how to configure and troubleshoot NAT.īefore I started let's have a quick time travel back to 1991 and there was a discussion how to solve IP address depletion. Unless you are lucky ( or early ) enough to have a large pool of public/internet routable addresses, then NAT is your friend. NAT, a necessary evil, it's a love hate relationship between us, engineers and NAT.