topic Re: AWS NAT not coming back in VM-Series in the Public Cloud

AWS NAT not coming back

nronica — Thu, 14 Nov 2019 03:24:16 GMT

Hello,

I tried to setup the nat, I can see my NAT and Security rule are being hit, but traffic is not flowing

Bundle 1

Interface Swap (tested this with no swap too, and it didn;t work)

All of the 3 interfaces disabled src destination

all of them same sg, 0.0.0.0./0

eth0 and eth1 are on the same subnet (public) with a route 0.0.0.0/0 to igw

eth0 and eth1 both have a elastic ip attached

eth2 is on the private subnet, route 0.0.0.0/0 points to eth2

Server is on the same subnet as eth2

DHCP seems to pick up the proper IPs (internal ips)

My nat rule

Source: Trust -> Untrust
Destination ethernet1.1

source: any

destination: any

service any

Source Translation: dynamic ip and port <<PRIVATE IP ADDRESS of eth1>>

Hit count: over 2000+

For my security rule

Universal, any, any, any .. any, allow. Hit count 3000+

Monitor shows "aged out", allowed, so it the traffic flows one way, but it doesn't come back!

Attached is a screenshot, the internal machine (172.31.73.88 pings google 172.217.4.99

172.31.38.193 is my eth1 "untrust"

Thanks in advance

Here's a request to google port 80

nat rule

Re: AWS NAT not coming back

jmeurer — Thu, 14 Nov 2019 12:30:35 GMT

2 Thoughts.

Check your default route in the VR. Ideally, you should use DHCP on both interfaces in the firewall and ensure to Uncheck "Automatically create default route..." on the Trust side Interface so that you only inherit the default route on E1/1.
Change the Source Translation in your NAT rule to:
- Translation Type: DIPP
- Address Type: Interface Address
- Interface: ethernet 1/1
- IP Address: None

Re: AWS NAT not coming back

nronica — Thu, 14 Nov 2019 13:03:47 GMT

Thanks

I made those changes

The nat is working if the trust ENI is on the same subnet than the server I'm trying to nat.

is there any way I can point other route tables to this ENI? I made the change but they can't connect to internet.

Thank you

Re: AWS NAT not coming back

jmeurer — Thu, 14 Nov 2019 13:21:59 GMT

Excellent, that is a step in the right direction. Create a static route on the firewall VR to send all of the VPC subnets that are behind the firewall out of the Eth1/2 interface to the first IP in the firewall's Trust Subnet. AWS will then route it to the Server subnet.

I assume the Server subnet has a 0/0 route point to the Trust side of the firewall?

Re: AWS NAT not coming back

nronica — Thu, 14 Nov 2019 13:32:24 GMT

Thanks

This is how my network looks like

Palo in Public
A same subnet that the trust interface, works fine

B diff subnet, same vpc, same Route Table, pointing to that ENI

For the route you mention, Unfortunately... I don't know how.. this is above the knowledge I have for this POC

This is why I tried

172.31.0.0/16 is my VPC CIDR

172.31.38.193 is the private IP of the "non trust interface"

Re: AWS NAT not coming back

jmeurer — Thu, 14 Nov 2019 13:44:50 GMT

Rather than specifying your Trust side IP of the firewall as the next hop in that route. Set the next-hop IP to the first IP of the Trust subnet which is the AWS router IP.

ie. if the Trust subnet is /24, set the next-hop to 172.31.38.1

Re: AWS NAT not coming back

nronica — Thu, 14 Nov 2019 13:55:48 GMT

what I learning experience!

My original routes

Then I added the VPC CIDR pointing to the "gateway of the trust interface" (Trust = 172.31.123.37)

New route

Thanks for all your help, just documenting here if someone is on the same spot

Re: AWS NAT not coming back

admin_missakid — Mon, 13 Nov 2023 15:06:48 GMT

Worked for me.

Thank you !