Tuesday, December 6, 2016

Palo Alto Networks - NAT Issue

I ran into a NAT situation recently that I thought I would share. Here is the scenario:

Firewall Untrust IP: 1.1.1.1/24
Firewall Trust IP: 10.10.10.1/24
Web Server Public IP: 2.2.2.2/32
Web Server Private IP: 10.10.10.10/32

The web server should be publicly accessible. Here are the typical steps to make that happen:
  • Create the NAT policy
  • Create the security policies
  • Commit the configuration
Even though the NAT and security policies are correct, you will notice that the web server is still not publicly accessible and it cannot access the Internet. You will also notice that if you look in the traffic logs it does not show any traffic. This is because the public IP assigned to the web server in not on a subnet that is assigned to an interface in the Untrust zone. In other words, the firewall doesn't know where to send traffic because the web server's public IP is not in the route table.

There are three options:
  1. Create loopback interface with an IP of the web server public IP and assign it to the Untrust zone.
  2. Create a sub-interface on the Untrust interface with the web server public IP and assign it to the Untrust zone.
  3. Create a route using the IP of the web server public IP as the destination, with the interface assigned to the Untrust zone, and give it a next hop of none.
This forces the IP to show up in the route table and traffic will begin to route properly.

No comments:

Post a Comment