How to Create and View NAT policies using the CLI

How to Create and View NAT policies using the CLI

140922
Created On 09/25/18 17:19 PM - Last Modified 12/31/25 10:52 AM


Procedure


 This document describes how to create and view NAT policies using the CLI (command line interface).
 

Use the following command to create a NAT policy using the CLI:

  
# set rulebase nat rules <NAT Rule Name> description <Description of NAT rule> from <Source Zone> to <Destination Zone> service <Service Type> source <Source IP Address>  destination <Destination IP address> source-translation <Type of Source Translation> interface-address interface <Interface Port number>
 

The example below will create a static NAT translation with a dynamic IP and port and uses interface ethernet1/4:

  
> configure
# set rulebase nat rules StaticNAT description staticNAT from DMZ to L3-Untrust service any source any destination any source-translation dynamic-ip-and-port interface-address interface ethernet1/4
# commit
# exit
 

Once committed, use the following command to confirm the creation of the NAT policy rule. This command will show all created NAT rules:

  
> show running nat-policy

StaticNAT {
        from DMZ;
        source any;
        to L3-Untrust;
        to-interface  ;
        destination any;
        service  any/any/any;
        translate-to "src: ethernet1/4 10.46.40.56 (dynamic-ip-and-port) (pool idx: 2)";
        terminal no;
}
 

Use the following command to view the settings of a specific NAT rule:

  
> configure
# show rulebase nat rules <rulename>
 

Using the example above, for the NAT rule with name "StaticNAT, the steps would be:

  
> configure
# show rulebase nat rules StaticNAT
 

What would show the NAT settings regarding the NAT rule name "StaticNAT" below:

  
StaticNAT {
        from DMZ;
        source any;
        to L3-Untrust;
        to-interface  ;
        destination any;
        service  any/any/any;
        translate-to "src: ethernet1/4 10.46.40.56 (dynamic-ip-and-port) (pool idx: 2)";
        terminal no;
}
 

Note: Post 9.0, change the translation type to "Dynamic IP" for all the DNAT rules using an FQDN. After a fresh reboot of the firewall, the command "show running nat-policy" might still show the destination as "0.0.0.0" until "commit force" is executed. This is a known cosmetic issue, the actual traffic won't be affected and will be translated as expected.

 

 

owner: rupalekar
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEqCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language