LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is Source NAT (SNAT), why is it needed for internal users to reach the Internet, and what gets translated?

SNAT replaces the source IP of outbound packets with the firewall's public IP, so Internet servers can route replies back. Required because private RFC1918 addresses (192.168.x.x, 10.x.x.x) are not routable on the public Internet — without translation, the reply has nowhere to go.

SNAT header rewrite: source IP/port and checksum change, destination unchanged; reversed on return.

* SNAT rewrites only the source (and checksum); the return is reverse-mapped. *

Firewall rewrites the private source to a public IP; the reply is reversed back to the client.

* SNAT rewrites the private source so replies are routable. *

A router translating private local IP addresses to a single public IP address.

* NAT translating private addresses to a public IP. — Milesjpool, CC BY-SA 4.0, via Wikimedia Commons. *

The flow without SNAT:

Client (192.168.0.100) → packet to 200.0.0.10 (Google)
Source: 192.168.0.100, Dest: 200.0.0.10
                ↓
Reaches Google's server, which tries to reply
                ↓
Reply: Source: 200.0.0.10, Dest: 192.168.0.100
                ↓
ISP routers: "192.168.0.100 is private, no route" → DROP
                ↓
Client never gets a response → Internet doesn't work

The flow with SNAT:

Client (192.168.0.100) → packet to 200.0.0.10
Source: 192.168.0.100, Dest: 200.0.0.10
                ↓
Firewall does SNAT, rewrites source:
Source: 199.0.0.10 (firewall's public IP), Dest: 200.0.0.10
                ↓
Reaches Google. Google replies to 199.0.0.10.
                ↓
Reply arrives at firewall. FW remembers the translation
and rewrites destination back to 192.168.0.100.
                ↓
Client receives reply ✓

The "why is SNAT needed at all" question:

Two possible answers:

  1. IPv4 address scarcity: There are only ~4 billion IPv4 addresses; the world has ~30 billion devices. NAT lets one public IP serve hundreds of internal devices.
  2. Security side-effect: Internal IPs are hidden from the Internet — attackers can't directly address 192.168.0.100.

SNAT translation types:

Type What it does
Static SNAT One internal IP ↔ one public IP (1:1 mapping)
Dynamic SNAT Pool of internal IPs ↔ pool of public IPs
NAT Overload (PAT/NAPT) Many internal IPs → one public IP, distinguished by source port

This setup uses NAT Overload (Palo Alto calls it "Dynamic IP and Port") — the same model your home router uses.

Why "the connection technically goes out, but no reply":

"Streng betrachtet geht die Verbindung nach aussen schon, jedoch können uns die Geräte im Internet nicht antworten, da der Absender eine private IP-Adresse ist."

This is a great mental model — outbound is fine; the return path is what breaks without NAT. Many "firewall not working" troubleshooting sessions boil down to a missing or misconfigured NAT rule.

Tip: When pinging 8.8.8.8 from inside the network fails before SNAT is configured, that's the diagnostic signature of "no NAT" — the request goes out but no reply ever returns. Once SNAT is added, ping works immediately.

Go deeper:

From Quiz: INTROL / Firewall Basics Lab (Palo Alto PA-440) | Updated: Jul 14, 2026