{"id":113,"date":"2022-04-25T07:29:09","date_gmt":"2022-04-25T11:29:09","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=113"},"modified":"2026-02-18T15:28:37","modified_gmt":"2026-02-18T20:28:37","slug":"dnat","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/dnat\/","title":{"raw":"1.4 DNAT","rendered":"1.4 DNAT"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Configure Destination NAT (DNAT)<\/li>\r\n \t
  • Configure WordPress<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    \r\n\r\nPrerequisites<\/strong>:\r\n
      \r\n \t
    • SNAT for the Internet<\/li>\r\n \t
    • Security policy for Inside to Outside<\/li>\r\n \t
    • Interface configuration<\/li>\r\n \t
    • Knowledge of previous labs<\/li>\r\n<\/ul>\r\n<\/div>\r\n
      Scenario<\/strong>: When I think of DNAT (Destination Network Address Translation) I always think of the days of setting up port forwarding for all my favorite games just so I could host server friends can play on. You can think of DNAT like this too if it helps! The goal of this lab is to reach WordPress from the Outside. So, users only enter the IP address of Ethernet 1\/2 in the Outside webterm and the firewall redirects the traffic to WordPress.<\/div>\r\n\r\n[caption id=\"attachment_174\" align=\"aligncenter\" width=\"841\"]\"Main Figure 1.55: Main scenario[\/caption]\r\n\r\n\r\n\r\n\r\n\r\n\r\n
      Table 1.7: Addressing Table<\/caption>\r\n
      Device<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
      WP (WordPress)<\/td>\r\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\r\n<\/tr>\r\n
      PaloAlto<\/td>\r\nEthernet1\/1: 10.0.0.1\/24\r\nEthernet1\/2: DHCP\r\nManagement: 192.168.0.1\/24<\/td>\r\n<\/tr>\r\n
      Management (WebTerm)<\/td>\r\neth0: 192.168.0.2\/24<\/td>\r\n<\/tr>\r\n
      Outside (WebTerm)<\/td>\r\neth0: DHCP<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\n\r\n\r\n\r\n
      Table 1.8: Zone Configuration<\/caption>\r\n
      Zone<\/th>\r\nInterface<\/th>\r\n<\/tr>\r\n
      Inside<\/td>\r\nEthernet1\/1<\/td>\r\n<\/tr>\r\n
      Outside<\/td>\r\nEthernet1\/2<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

      Create Reference Addresses<\/h2>\r\nUnder Objects > Addresses<\/strong>, click Add<\/strong>.\r\n\r\n[caption id=\"attachment_380\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 1.56: Add an address[\/caption]\r\n\r\nIn this window, we will add the IP of the WordPress server to reference it easier.\r\n\r\n[caption id=\"attachment_176\" align=\"aligncenter\" width=\"1026\"]\"WordPress Figure 1.57: WordPress IP address[\/caption]\r\n\r\nWe also want to put our firewall's \"public\" IP (the interface facing the NAT cloud) here too. You can find the firewall's DHCP address under network > interfaces<\/strong>. Then click the hyperlink under IP address:\r\n\r\n[caption id=\"attachment_364\" align=\"aligncenter\" width=\"1024\"]\"Dynamic-DHCP Figure 1.58: Dynamic-DHCP Client IP address[\/caption]\r\n\r\nFrom there you will find the IP address of the firewall:\r\n\r\n[caption id=\"attachment_178\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 1.59: Verify Dynamic-DHCP Client IP address[\/caption]\r\n

      Create a DNAT Policy<\/h2>\r\nUnder Policies > NAT<\/strong>, click the Add button on the bottom.\r\n\r\n[caption id=\"attachment_381\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 1.60: Add a DNAT Policy[\/caption]\r\n\r\nUnder the Original Packet tab, configure these settings:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
      Table 1.9: DNAT Configuration<\/caption>\r\n
      Parameters<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Source Zone<\/td>\r\nOutside<\/td>\r\n<\/tr>\r\n
      Destination Zone<\/td>\r\nOutside<\/td>\r\n<\/tr>\r\n
      Destination Interface<\/td>\r\nany<\/td>\r\n<\/tr>\r\n
      Service<\/td>\r\nservice-http<\/td>\r\n<\/tr>\r\n
      Destination Address<\/td>\r\n(Firewall Public Address Here)<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_180\" align=\"aligncenter\" width=\"1026\"]\"DNAT Figure 1.61: DNAT Policy Rule- Original Packet[\/caption]\r\n\r\nUnder the translated packet tab, Destination Address Translation. Configure these:\r\n\r\n\r\n\r\n\r\n\r\n
      Table 1.10: DNAT Translated Packet Configuration<\/caption>\r\n
      Parameters<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Translation Type<\/td>\r\nStatic IP<\/td>\r\n<\/tr>\r\n
      Translated Address<\/td>\r\n(IP of WordPress here)<\/td>\r\n<\/tr>\r\n
      Translated Port<\/td>\r\n80<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_181\" align=\"aligncenter\" width=\"1026\"]\"DNAT Figure 1.62: DNAT Policy Rule- Translated Packet[\/caption]\r\n\r\nThen, press OK<\/strong>.\r\n

      Security Policy for DNAT<\/h1>\r\nUnder Policies > Security<\/strong>. Click Add<\/strong> at the bottom.\r\n\r\n[caption id=\"attachment_382\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 1.63: Add a Security Policy[\/caption]\r\n\r\nUnder the source tab, add the outside zone under the source zone:\r\n\r\n[caption id=\"attachment_183\" align=\"aligncenter\" width=\"1026\"]\"Configuring Figure 1.64: Configuring the Source Zone[\/caption]\r\n\r\nUnder the destination tab, add the inside zone as the destination zone:\r\n\r\n[caption id=\"attachment_184\" align=\"aligncenter\" width=\"1026\"]\"Configuring Figure 1.65: Configuring the Destination Zone[\/caption]\r\n\r\nAfter that press OK<\/strong>, then Commit<\/strong>.\r\n

      Test DNAT<\/h2>\r\nUsing the Outside webterm. Navigate to the public IP address of your firewall. If any webpage shows up, whether it's the WordPress site or the one below. You got DNAT working!\r\n\r\n[caption id=\"attachment_185\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 1.66: Verify your configuration[\/caption]","rendered":"
      \n
      \n

      Learning Objectives<\/p>\n<\/header>\n

      \n
        \n
      • Configure Destination NAT (DNAT)<\/li>\n
      • Configure WordPress<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
        \n

        Prerequisites<\/strong>:<\/p>\n

          \n
        • SNAT for the Internet<\/li>\n
        • Security policy for Inside to Outside<\/li>\n
        • Interface configuration<\/li>\n
        • Knowledge of previous labs<\/li>\n<\/ul>\n<\/div>\n
          Scenario<\/strong>: When I think of DNAT (Destination Network Address Translation) I always think of the days of setting up port forwarding for all my favorite games just so I could host server friends can play on. You can think of DNAT like this too if it helps! The goal of this lab is to reach WordPress from the Outside. So, users only enter the IP address of Ethernet 1\/2 in the Outside webterm and the firewall redirects the traffic to WordPress.<\/div>\n
          \"Main
          Figure 1.55: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n\n
          Table 1.7: Addressing Table<\/caption>\n
          Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
          WP (WordPress)<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
          PaloAlto<\/td>\nEthernet1\/1: 10.0.0.1\/24
          \nEthernet1\/2: DHCP
          \nManagement: 192.168.0.1\/24<\/td>\n<\/tr>\n
          Management (WebTerm)<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n
          Outside (WebTerm)<\/td>\neth0: DHCP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
          Table 1.8: Zone Configuration<\/caption>\n
          Zone<\/th>\nInterface<\/th>\n<\/tr>\n
          Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
          Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

          Create Reference Addresses<\/h2>\n

          Under Objects > Addresses<\/strong>, click Add<\/strong>.<\/p>\n

          \"Add
          Figure 1.56: Add an address<\/figcaption><\/figure>\n

          In this window, we will add the IP of the WordPress server to reference it easier.<\/p>\n

          \"WordPress
          Figure 1.57: WordPress IP address<\/figcaption><\/figure>\n

          We also want to put our firewall’s “public” IP (the interface facing the NAT cloud) here too. You can find the firewall’s DHCP address under network > interfaces<\/strong>. Then click the hyperlink under IP address:<\/p>\n

          \"Dynamic-DHCP
          Figure 1.58: Dynamic-DHCP Client IP address<\/figcaption><\/figure>\n

          From there you will find the IP address of the firewall:<\/p>\n

          \"Verify
          Figure 1.59: Verify Dynamic-DHCP Client IP address<\/figcaption><\/figure>\n

          Create a DNAT Policy<\/h2>\n

          Under Policies > NAT<\/strong>, click the Add button on the bottom.<\/p>\n

          \"Add
          Figure 1.60: Add a DNAT Policy<\/figcaption><\/figure>\n

          Under the Original Packet tab, configure these settings:<\/p>\n\n\n\n\n\n\n\n\n
          Table 1.9: DNAT Configuration<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Source Zone<\/td>\nOutside<\/td>\n<\/tr>\n
          Destination Zone<\/td>\nOutside<\/td>\n<\/tr>\n
          Destination Interface<\/td>\nany<\/td>\n<\/tr>\n
          Service<\/td>\nservice-http<\/td>\n<\/tr>\n
          Destination Address<\/td>\n(Firewall Public Address Here)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"DNAT
          Figure 1.61: DNAT Policy Rule- Original Packet<\/figcaption><\/figure>\n

          Under the translated packet tab, Destination Address Translation. Configure these:<\/p>\n\n\n\n\n\n\n
          Table 1.10: DNAT Translated Packet Configuration<\/caption>\n
          Parameters<\/th>\nValue<\/th>\n<\/tr>\n
          Translation Type<\/td>\nStatic IP<\/td>\n<\/tr>\n
          Translated Address<\/td>\n(IP of WordPress here)<\/td>\n<\/tr>\n
          Translated Port<\/td>\n80<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"DNAT
          Figure 1.62: DNAT Policy Rule- Translated Packet<\/figcaption><\/figure>\n

          Then, press OK<\/strong>.<\/p>\n

          Security Policy for DNAT<\/h1>\n

          Under Policies > Security<\/strong>. Click Add<\/strong> at the bottom.<\/p>\n

          \"Add
          Figure 1.63: Add a Security Policy<\/figcaption><\/figure>\n

          Under the source tab, add the outside zone under the source zone:<\/p>\n

          \"Configuring
          Figure 1.64: Configuring the Source Zone<\/figcaption><\/figure>\n

          Under the destination tab, add the inside zone as the destination zone:<\/p>\n

          \"Configuring
          Figure 1.65: Configuring the Destination Zone<\/figcaption><\/figure>\n

          After that press OK<\/strong>, then Commit<\/strong>.<\/p>\n

          Test DNAT<\/h2>\n

          Using the Outside webterm. Navigate to the public IP address of your firewall. If any webpage shows up, whether it’s the WordPress site or the one below. You got DNAT working!<\/p>\n

          \"Verify
          Figure 1.66: Verify your configuration<\/figcaption><\/figure>\n","protected":false},"author":1572,"menu_order":4,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-113","chapter","type-chapter","status-publish","hentry"],"part":3,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1572"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/113\/revisions"}],"predecessor-version":[{"id":1212,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/113\/revisions\/1212"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/3"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/113\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=113"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=113"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=113"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}