topic Re: DNAT FW Palo Alto - Double NAT in General Topics

DNAT FW Palo Alto - Double NAT

Metgatz — Sat, 11 Feb 2023 00:40:59 GMT

DNAT Support - FW Palo Alto - Double NAT

Hello Lice Community good afternoon, first of all, thanks for the support and collaboration always.

I have received a very strange request, I have tried to configure it by trying many ways and nothing.

What does a client/costumer want:

Dnat with double Nat ie.

Internet ======= Palo Alto Public IP direct to FW ===== DNAT to IP in DMZ range (Ip within the range, but a fictitious IP, that is, DMZ has a range of 192.168.5.0/24 and will be used the IP 192.168.5.100)-----then DNAT again to the IP 10.10.10.100 ( Zone Inside ).

Now if I do it directly to the IP 10.10.10.100 the DNAT works fine. I have done other NAT DNAT source NAT, Source NAT with IP range not directly connected to the FW and everything OK.

But when I do that double DNAT, it doesn't work, I've tried putting a route like /32 to the ip 192.168.3.100/32 and to 10.10.10.100/32. Place a secondary IP in the DMZ Interface/Zone.

The DNAT or NAT itself I have tried anyway.

Source any, destination DMZ 192.168.5.100 DNAT at 10.10.10.100.

Source any, destination Inside 10.10.10.100 DNAT 192.168.5.200.

And all the possible variants and nothing, no hit.

Security policies also all possible variants.

That double nat is feasible, for me it doesn't make much sense to the truth, but technically it is feasible, because no matter how much I move it, nothing happens.

Thank you, I remain attentive to any advice, collaboration, etc.

Kind regards

Re: DNAT FW Palo Alto - Double NAT

Raido_Rattameister — Sat, 11 Feb 2023 00:51:42 GMT

Did you understand what benefit customer would gain if this setup would work?

Re: DNAT FW Palo Alto - Double NAT

Metgatz — Sat, 11 Feb 2023 02:27:02 GMT

Hello @Raido_Rattameister

Thanks a lot for your answer-

What the client wants, stubbornly... I have already spoken with them and told them to review it, but they were also given the full explanation that it does not make much sense or does not have added value to do something like this. But he insists on confirming the feasibility and whether Palo Alto supports it.

I clarify the detail:
Internet-----Public-Ip----IP of the range of the Interface/DMZ Zone 192.168.5.100 and that in turn when the request arrives at IP 192.168.5.100 the FW does another DNAT when hitting 5.100 DNAT towards the final IP 10.10.10.100 in the Inside interface/zone.

Summary: Internet---IpPublic---PaloAlto----DNAT to DMZ 192.168.5.100 ----SAME-FW-PaloAlto---Dnat 5.100 to 10.10.10.100 ( same PA Inside Zone ).

Internet IP---from FW---DNAT to IP dummy/loopback/ipsecondary IP of the DMZ-Zone interface ----( Not a Host IP: IP dummy/loopback/ipsecondary Interface DMZ, IP:192.168.5.100 ) ----And when it hits the 192.168.5.100 of the same Fw-PA----DNAT go to IP 10.10.10.100 the final server in the Inside/LAN zone.

For me a madness that does not make any sense, but I must justify well why not and why it cannot be done, it is not feasible or it is not convenient.

Thanks a lot

Cheers

Re: DNAT FW Palo Alto - Double NAT

Raido_Rattameister — Sat, 11 Feb 2023 02:47:51 GMT

It is easy to do.

Customer buys another Palo.

Set up external firewall that will DNAT to 192.168.5.100 and internal firewall that will perform second DNAT and voila - 2x NAT is achieved 🙂

On more serious note for Palo to send traffic to 192.168.5.100 something needs to reply to arp on that IP.

If Palo has 192.168.5.100 configured on itself it will never send out arp requests for this IP.

You can set up packet capture filter and use "show counter global filter delta yes packet-filter yes" and see why packet is dropped.

If this is not enough then take flow basic logs.

Re: DNAT FW Palo Alto - Double NAT

Metgatz — Sat, 11 Feb 2023 04:33:37 GMT

Hello @Raido_Rattameister good evening:

Yes, hehe, it makes sense, because that double DNAT in the same firewall, understanding that the "one session/packets" Firewall cannot go through two DNATs in the same network device and/or firewall, it doesn't make much sense, going to the theoretical basis of networking and NAT.

Yes, it would be a second firewall, a load balancer and/or a reverse proxy.

Thank you

Best regards