Palo Alto Networks: How to configure NAT to change the port for the server to go out to the internet with IP Wan as a static IP

1. Goal of the article

  • In network administration, the need to nat a server to the internet is essential for remote administration.
  • But how can you connect devices to the internet when they all use the same administrative access port?
  • In this article, techbast will guide you on how to configure Nat to change the port so that we can perform nat servers to the internet even though they share the same administrative port.

2. Network diagram


  • As diagram Palo Alto firewall will be connected to the internet by PPPoE protocol at port E1/1 with a static IP of 115.78.x.
  • Inside of Palo Alto is the LAN layer with a static IP address of set to port E1/5. On port E1/5 is configured DHCP Server to allocate IP to the devices connected to it.
  • Next, is a VMware ESXi Server located in the LAN layer with IP address and this Vmware Exsi Server is managed by web with HTTPS interface.
  • Finally, a computer outside the internet, this computer can be located anywhere on the internet.

3.Configuration scenarios

  • As you can see both the Palo Alto firewall admin page and the VMware ESXi server use port 443 to access it.
  • Therefore, if we do NAT 1:1, we will only be able to connect 1 of 2 devices to the internet.
  • So in this article techbast will make the VMware ESXi server go out to the internet using port 442 so that the administrator can access the admin page of both devices.

4.What to do

  • Create Address Objects
  • Create Services Objects
  • Create NAT Rule
  • Create Security policy
  • Result

3. Configuration

3.1 Create Address Objects

  • We will create two address objects, Server-public, with the IP address being the WAN port address of the Palo Alto 115.78.x.x device and the webserver-private being the IP address of the internal Web server.
  • To create go to Objects> Addresses> click Add and enter the following parameters:
    • Name: Server-public
    • Type : IP Netmask – 115.78.x.x
  • Click OK to save
  • Click Add again to create the address object for the web server:
    • Name : webserver-private
    • Type : IP Netmask –
  • Click OK to save

3.2 Create Service Objects

We need to create service objects for port 442, to create them in Objects > Services.

Click Add and create according to the following parameters:

  • Name: Port_442
  • Protocol: TCP
  • Destination Port: 442
  • Click OK to save.

3.3 Create NAT Rule

  • To create a NAT rule go to Policies> NAT> Click Add.
  • In the General tab configure with the following parameters:
    • Name: Nat_Server
    • Type : ipv4
  • In the tab Original Packet configures with the following parameters:
    • Source Zone: WAN
    • Destination Zone: WAN
    • Destination Interface: ethernet1/1
    • Service : Port_442
    • Source Address: Any
    • Destination Address: Server-public
  • In the Translated Packet tab, the Destination Translation section is configured as follows:
    • Translation Type: Static IP
    • Translation Address:
    • Translation Port: 443

Click OK to save.

3.4 Create Security policy

  • Create a Security policy to allow traffic from the WAN area to enter the LAN area.
  • To create Go to Policies> Security> Click Add.
  • In the General tab configure with the following parameters:
    • Name: Webserver access
    • Rule Type: universal (default)
  • Source tab :
    • Source Zone : WAN
    • Source Address : Any
  • Destination tab :
    • Destination Zone : LAN
    • Destination Address : Server-public
  • Application tab :
    • Select Any
  • Service/URL Category :
    • Select Port_442 service và Any
  • Action :
    • Log Setting : Select Log at Session End
    • Action Setting : Allow

3.4 Result

  • After configuring the necessary policies we will use a computer outside the internet to access the internal server by IP Wan with port 442 and the result is as follows.
  • We were able to access the server successfully using port 442 from the internet.
  • In addition, we can also access the firewall’s admin page using port 443 as usual.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.