Chapter 1. Basics
1.3 SNAT
Learning Objectives
- Configure Source NAT (SNAT)
Prerequisites:
- Security policy for Inside to Outside
- Interface configuration
- Knowledge of previous labs
Scenario: Source NAT is what your router does on a daily basis to provide you with Internet access just so you can go on social media and complain about how slow your internet is. Your router at home does this all automatically for you. But since we’re real network engineers with a firewall on one hand, and determination on the other. Let’s learn how to configure this all by ourselves using Palo Alto! We’ve already configured this in the previous chapter, so let’s just go over it again!
| Device | Configuration |
|---|---|
| Clint | eth0: 10.0.0.2/24 GW: 10.0.0.1 DNS: 8.8.8.8 |
| PaloAlto | Ethernet1/1: 10.0.0.1/24 Ethernet1/2: DHCP Management: 192.168.0.1/24 |
| Management (WebTerm) | eth0: 192.168.0.2/24 |
| Outside (WebTerm) | eth0: DHCP |
| Zone | Interface |
|---|---|
| Inside | Ethernet1/1 |
| Outside | Ethernet1/2 |
SNAT (Source NAT: Access the Internet in Palo Alto)
Under the policies tab, go to NAT, then click Add.
We want to translate packets originating from the Inside to go to the outside zone using the interface address of ethernet1/2. This would be Port Address Translation Overload. Under the General tab, just change the name.
Under the original packet tab, click add then make the source zone inside. As for the destination zone, make it outside.
Configure these settings under the translated packet tab in the source address translation area:
| Parameter | Value |
|---|---|
| Translation Type | Dynamic IP and Port |
| Address Type | Interface Address |
| Interface | Ethernet1/2 |
| IP Address | None |
Don’t forget to commit!
Check Internet Connectivity on Webterm
Open up webterm, and navigate to any website of your choosing.
If your desired webpage showed up, you have successfully configured SNAT!
