NAT traffic from DMZ to another zone

MRahaman — Thu, 16 Nov 2023 10:57:02 GMT

Hallo Everyone,

I am using PA-220

let’s call PaloAlto-Firewall “X”

Office Firewall “Y”

Other firewall “Z”

Firewall X has 8 Interfaces.

Interface 1/1: has the IP-Addressee 192.168.5.254. we assigned this Interface to a Zone Called "DMZ". When this firewall and this Interfaces want to communicate with our office Network it send the traffic to firewall Y with the IP: 192.168.5.1 "Works fine as intended"

Interface 1/2: This interface is physically connected another firewall Z and this interface has the IP: 192.168.9.127, this Interface is also assign to a Zone named “InterConnectedNetwork”. The firewall IP of Z 192.168.9.1.

The firewall Z has three V-LAN 192.168.11/13/15. All the participant of this V-LAN can talk to each through firewall Z other without any problem. Internal routing is configured as like following: Any Traffic come to firewall Z but it’s intend to forwarded to its V-LAN-participant. Firewall Z forward this traffic to the right machine.

Now let’s say a machine with IP 10.50.5.20 traying to talk to one of V-LAN of firewall Z though the firewall Y (have static route to firewall X, it’s work fine) and DMZ of firewall X. Since i do not want to expose the IP from the V-LAN in firewall Z. I created a S-NAT in Palo alto. It's work fine. The traffic in this case looks like following: (V-LAN-Participant: 192.168.13.19) send packet to its gateway 192.168.13.1--> From this point firewall Z forward this packet through the paloalto interface 1/5 192.168.9.127 --> than the DMZ of firewall X send the packet to firewall Y 192.168.5.1-- > Firewall Y send the Packet to 10.50.5.20.

Again the packet flow: 192.168.13.19 -> 192.168.13.1 -> 192.168.9.127-> 192.168.5.1-> 10.50.5.20, so Outbound NAT work perfectly

What is not working is Inbound. I have tried everything that i could, but it is not working. By Inbound the traffic reach the DMZ of Palo alto but it does not forward further. The traffic stop in following point: 10.50.5.20 -> 192.168.5.1-> 192.168.5.254

what i already tried:

Static Routing Tabell
D-NAT (along with a security poilicy)
U-NAT (along with a security poilicy)
Policy Based Forwarding.

Of Course there is always the possibility that i implemented all this in a wrong way.

Can anyone help? Any kind of suggestion regarding to this problem would be nice!

Best regards,

Rahaman

Re: NAT traffic from DMZ to another zone

JayGolf — Thu, 09 Nov 2023 16:39:49 GMT

Hi @MRahaman ,

Can you share a screenshot of your DNAT and security policy? If you don't feel comfortable sharing here, you can send a PM to myself.

topic Re: NAT traffic from DMZ to another zone in General Topics

NAT traffic from DMZ to another zone

Re: NAT traffic from DMZ to another zone