topic Re: L3 deployment with dynamic IP and DMZ (NAT and PBF required?) in General Topics

L3 deployment with dynamic IP and DMZ (NAT and PBF required?)

idelconsulting — Thu, 19 Dec 2013 21:12:07 GMT

Dear all,

I'm trying to move from my initial vWire deployment to L3 in order to get rid of my SSG5. Later on I'll also get rid of my SA-2000.

Current layout:

ISP (dynamic IP) - PA vWire - SSG5 - PA vWire - Intranet

SA-2000

I'm clear how to set up NAT to access the Internet from my internal network.

What I'm a bit unclear is how to set up my DMZ.

Currently the SSG5 forwards all traffic incoming on port 443 to the SA. App filter in place on the external vWire to allow only Active Sync and Secure-access including inbound decryption.

In my understanding I need to configure PBF to forward e.g ingress traffic arriving at the dynamic untrust interface on port 443 to the DMZ interface, correct?

I assume this also means destination NAT (bi-directional?). Can I still filter by application? Some notes mention that PBF and app filter don't work together.

Is there a way to change the port too?

Assuming I want to keep 443 for future remote access via the PA, can I configure a way to translate untrust IP/444 to DMZ IP/443?

Regards,

Andreas

Re: L3 deployment with dynamic IP and DMZ (NAT and PBF required?)

tasonibare — Fri, 20 Dec 2013 02:07:01 GMT

Hello Andreas,

You are correct. You do need a route on the firewall pointing the dynamic, untrust IP address towards the DMZ interface. If you are only expecting 443 traffic on this dynamic address, then you could accomplish this with just a static route. If you are expecting to receive 443 and other services on this IP address however, then you do need a PBF policy.

You can still filter by application and you could use a bi-directional NAT as well.

I've not encountered any problems with PBF and app filter so I cannot comment on that, but they are designed to work in harmony if configured correctly.

For your last question, yes, you can translate the destination port from your untrust traffic(444) to a different port(443) using NAT.

The NAT statement would look something like the following:

Note that the NAT policy permits Untrust to Untrust but the security policy needs to permit Untrust to DMZ.

See the following document for more information regarding NAT on the Palo Alto.

https://live.paloaltonetworks.com/docs/DOC-1517

Regards,

tasonibare

Re: L3 deployment with dynamic IP and DMZ (NAT and PBF required?)

idelconsulting — Thu, 26 Dec 2013 18:35:13 GMT

Hello tasonibare,

thanks a lot for your answer.

It turned out to be simpler than I expected.

All I needed was a NAT rule similar to what you showed without any PBF rules. In addition I just had to add the DMZ zone as a source zone to the outgoing source NAT and everything worked as expected. (OK, almost. I lost a couple of hours before I figured out that my DynDNS IP used as a FQDN address object was wrong).

Regards,

Andreas