Chapter 1. Basics

1.4 DNAT

Learning Objectives

  • Configure Destination NAT (DNAT)
  • Configure WordPress

Prerequisites:

  • SNAT for the Internet
  • Security policy for Inside to Outside
  • Interface configuration
  • Knowledge of previous labs
Scenario: When I think of DNAT (Destination Network Address Translation) I always think of the days of setting up port forwarding for all my favorite games just so I could host server friends can play on. You can think of DNAT like this too if it helps! The goal of this lab is to reach WordPress from the Outside. So, users only enter the IP address of Ethernet 1/2 in the Outside webterm and the firewall redirects the traffic to WordPress.
Main scenario
Figure 1.55: Main scenario
Table 1.7: Addressing Table
Device Configuration
WP (WordPress) eth0: 10.0.0.2/24 GW: 10.0.0.1
PaloAlto Ethernet1/1: 10.0.0.1/24
Ethernet1/2: DHCP
Management: 192.168.0.1/24
Management (WebTerm) eth0: 192.168.0.2/24
Outside (WebTerm) eth0: DHCP
Table 1.8: Zone Configuration
Zone Interface
Inside Ethernet1/1
Outside Ethernet1/2

Create Reference Addresses

Under Objects > Addresses, click Add.

Add an address
Figure 1.56: Add an address

In this window, we will add the IP of the WordPress server to reference it easier.

WordPress IP address
Figure 1.57: WordPress IP address

We also want to put our firewall’s “public” IP (the interface facing the NAT cloud) here too. You can find the firewall’s DHCP address under network > interfaces. Then click the hyperlink under IP address:

Dynamic-DHCP Client IP address
Figure 1.58: Dynamic-DHCP Client IP address

From there you will find the IP address of the firewall:

Verify Dynamic-DHCP Client IP address
Figure 1.59: Verify Dynamic-DHCP Client IP address

Create a DNAT Policy

Under Policies > NAT, click the Add button on the bottom.

Add a DNAT Policy
Figure 1.60: Add a DNAT Policy

Under the Original Packet tab, configure these settings:

Table 1.9: DNAT Configuration
Parameters Value
Source Zone Outside
Destination Zone Outside
Destination Interface any
Service service-http
Destination Address (Firewall Public Address Here)
DNAT Policy Rule- Original Packet
Figure 1.61: DNAT Policy Rule- Original Packet

Under the translated packet tab, Destination Address Translation. Configure these:

Table 1.10: DNAT Translated Packet Configuration
Parameters Value
Translation Type Static IP
Translated Address (IP of WordPress here)
Translated Port 80
DNAT Policy Rule- Translated Packet
Figure 1.62: DNAT Policy Rule- Translated Packet

Then, press OK.

Security Policy for DNAT

Under Policies > Security. Click Add at the bottom.

Add a Security Policy
Figure 1.63: Add a Security Policy

Under the source tab, add the outside zone under the source zone:

Configuring the Source Zone
Figure 1.64: Configuring the Source Zone

Under the destination tab, add the inside zone as the destination zone:

Configuring the Destination Zone
Figure 1.65: Configuring the Destination Zone

After that press OK, then Commit.

Test DNAT

Using the Outside webterm. Navigate to the public IP address of your firewall. If any webpage shows up, whether it’s the WordPress site or the one below. You got DNAT working!

Verify your configuration
Figure 1.66: Verify your configuration

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.