Beruflich Dokumente
Kultur Dokumente
Security Policy
Example 1
Internet
102.100.88.90
Untrust zone
Trust zone
Internal
172.17.1.40
Example 2
NAT Policy
Security Policy
Example 2
Internet
Untrust zone
DMZ zone
DMZ
Trust zone
104.150.226.0/24
Internal
172.17.1.39
Source Zone/
Address/
User-ID
PBF/
Forwarding
Lookup
Security
Pre-Policy
Check
Allowed
Ports
Session
Created
Application
Check for
Encrypted
Traffic
Decryption
Policy
Security
Policy
Check
Security
Policy
Check
Security
Profiles
Post Policy
Processing
Re-Encrypt
Traffic
NAT Policy
Applied
Destination
Zone
NAT Policy
Evaluated
Application
Override
Policy
App-ID
Packet
Forwarded
Security Policy
Destination
Address
102.100.88.90
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90
5
6
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90
Source Address
Any
Destination
Address
172.16.1.40
5
6
7
Example 2
NAT Policy
Security Policy
Internet
Untrust zone
DMZ zone
DMZ
Trust zone
104.150.226.0/24
Internal
172.17.1.39
Destination
Address
104.160.226.80
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80
5
6
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80
5
6
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80
Source Address
Any
Destination
Address
172.16.1.39
5
6
7
Original IP addresses are ALWAYS used with rules, no matter which policy.
Why ? Because address translation does not actually happen until the packet
egresses the firewall.
The ONLY zone that may change from the original packet during processing is
the Destination Zone.
Natted IP
Original source
address
Real IP
Source NAT
PAN-OS supports the following options for source translation:
Dynamic-ip-and-port (DIPP)
Dynamic-ip (DIP)
Static IP
DIP NAT
In this form of NAT, the original source port number is left intact. Only the
source IP address will be translated.
When using the dynamic-ip type of source NAT, the size of the NAT pool must
be equal to the number of the internal hosts that require address translation. If
all the IP addresses in the pool are in use, any connections from new hosts
cannot be address translated and hence will be dropped. New sessions from
hosts with established sessions with NAT will be allowed.
DIPP NAT
For translating both the source IP address AND port numbers, DIPP ( dynamic
IP and port ) type of translation must be used
This form of NAT is also commonly referred to as interface-based NAT or
network address port translation ( NAPT )
On Cisco routers
NAT Overload
Juniper Netscreen
PAT
Translated IPs
800
Default
oversubscription
( source IP and port
being reused 2x,
different destination
IP )
Maximum DIPP
NAT
DIPP oversubscription
Useable # ports :
65535 1024 = 64511
Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used
( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions
This is assuming all sessions going to different destinations
Example oversub 1x
Example oversub 8x