Port Forwarding is also known as static IP NAT which is a very common configuration in the edge firewall/ routers to provide internal service access to outside network (exotically Internet).
I am going to use the following as an example. In this example, we are going to configure a port forwarding rule on the edge Firewall to forward 11.11.11.5:TCP 8080 to the internal Web Server 172.16.10.100:TCP 80.
From the following table, we can see in the "NAT Policy", the Dest-Zone in Palo Alto is the "pre NAT Zone" which is the "outside zone".
In the Security Policy, the Dest-Address and Service are both the Pre-NAT ones.
|
ASA
|
Palo Alto
|
NAT Policy
|
Static NAT
|
Static NAT
|
Source Zone (interface)
|
outside
|
outside (or ANY)
|
Dest Zone (interface)
|
inside
|
outside (pre NAT Zone)
|
Original Source IP
|
any
|
any
|
Original Dest IP
|
11.11.11.5/32
|
11.11.11.5/32
|
Original Service
|
TCP/Dest-8080
|
TCP/Dest-8080
|
Translate Source IP
|
same as original
|
Translation Type: None
|
Translate Dest IP
|
172.16.10.100/32
|
172.16.10.100/32
|
Translate Service
|
TCP/Dest-80
|
TCP/Dest-80 (only can be Dest port)
|
Secuirty Policy
|
|
|
Source Zone (interface)
|
Assign Secuirty Poliyc to outside Interface
|
outside
|
Dest Zone (interface)
|
n/a
|
inside
|
Source Address
|
any
|
any
|
Dest Address
|
172.16.10.100/32 (post NAT IP)
|
11.11.11.5/32 (pre NAT IP)
|
Service
|
TCP/Dest-80 (post NAT Service)
|
TCP/Dest-8080 (pre NAT Service)
|