topic Re: NAT to multiple https sites in General Topics

NAT to multiple https sites

tjcarter — Thu, 10 Jan 2013 21:09:36 GMT

It is possible to NAT to multiple internal https sites behind a single external IP address? If so any guidance on how to create the NAT policy would be most apprecaited.

Re: NAT to multiple https sites

mikand — Thu, 10 Jan 2013 21:18:13 GMT

You mean someone from internet access x.x.x.x which your PA device will forward (destination NAT) to 2 or more webservers on DMZ?

Not that im aware of today.

Re: NAT to multiple https sites

kfindlen — Thu, 10 Jan 2013 21:22:10 GMT

Hello,

The only NAT configuration which would allow access to two different servers behind the firewall from one public IP address would be to use different destination ports on the external interface.

External IP: 1.1.1.1

1.1.1.1:443 -> Server1:443

1.1.1.1.4443 -> Server2:443

Thanks,

-- Kevin

Re: NAT to multiple https sites

mikand — Thu, 10 Jan 2013 21:26:40 GMT

What about ECMP (Equal Cost Multi-Path routing) - is it supported in PANOS 5.0 yet?

Because then you could do something like:

1) PA will destination NAT incoming traffic for x.x.x.x into y.y.y.y.

2) Then the vrouter will forward traffic towards y.y.y.y with a.a.a.a or b.b.b.b (or how many you might have) as nexthop (roundrobin and do this per session).

3) Setup your webservers (a.a.a.a and b.b.b.b) to also listen to y.y.y.y as some kind of loopback interface.

Re: NAT to multiple https sites

kfindlen — Thu, 10 Jan 2013 21:29:33 GMT

ECMP is not currently supported.

I'm not sure if the original question was more of a load balance scenario or two completely separate sites hosted on different machines. The multiple external port option is the only way to do this today unless you can further filter the NAT policy by source IP.

Re: NAT to multiple https sites

mikand — Thu, 10 Jan 2013 21:36:10 GMT

If its the second case (separate sites hosted on different machines) - what about involving PBF?

1) PA will destination NAT incoming traffic for x.x.x.x into y.y.y.y.

2) Then the PBF will if application web-site1 forwarding traffic either on egress interface (like VLAN101) and/or nexthop to a.a.a.a while for application web-site2 forwarding on egress VLAN102 and/or nexthop to b.b.b.b.

3) Setup your webservers (a.a.a.a and b.b.b.b) to also listen to y.y.y.y as some kind of loopback interface.

Re: NAT to multiple https sites

tjcarter — Thu, 10 Jan 2013 21:39:57 GMT

We are dealing with multiple internal https sites. I have implemented different senarios using seperate external ports for different services on different servers (80 for http, 22 for ssh) but in this case I am stuck trying to get multiple servers that are offering the same service (https) but for different applications/sites. Make sense?

Re: NAT to multiple https sites

kfindlen — Thu, 10 Jan 2013 21:45:18 GMT

Yeah, a setup like the one I mentioned in my first post is the only option possible on the firewall today.

External IP: 1.1.1.1

1.1.1.1:443 -> Server1_IP:443

1.1.1.1.4443 -> Server2_IP:443

So if you hit the external IP on port 443 you go to server1, and port 4443 you go to the HTTPS on server2.

Re: NAT to multiple https sites

mikand — Thu, 10 Jan 2013 21:54:20 GMT

A workaround would be if you can spare additional ip's for this service.

External IP:

1.1.1.1 -> Server1_IP

1.1.1.2 -> Server2_IP

1.1.1.3 -> Server3_IP

and then use dns roundrobin.

Another workaround would be if your webservers can run something similar to GLBP or such.

So the PA will just do 1.1.1.1 -> DMZ_IP and then the webservers uses GLBP or whatever to make the PA forward the traffic to them - however this will probably break session based logins and such for the clients (unless the session table is stored in the db available for all the webservers).

The proper solution (today) is most likely to get a loadbalancer either something like F5 (and setup up 2 of them as active/passive) or build your own using nginx/apache (mod_proxy/mod_security) along with CARP service (for active/passive between the two boxes) so you end up with:

PA -> LoadBalancer -> Switch -> Webservers

Re: NAT to multiple https sites

kfindlen — Thu, 10 Jan 2013 21:55:18 GMT

Mikand,

Step 2 would be the problem. How would the firewall determine which direction to forward the traffic at that point? The HTTP request which would contain the destination URL would not even be sent by the client until both the 3-way TCP and SSL handshakes were complete. By that point the firewall wouldn't be able to change the forwarding based on the URL without breaking the session. This also assumes SSL decryption is in use, which for inbound decryption both internal servers would have to present the same server certificate.

Maybe a web server cluster with a virtual IP that handles both web sites?

Thanks,

-- Kevin

Re: NAT to multiple https sites

mikand — Thu, 10 Jan 2013 22:08:28 GMT

Darn, I was thinking if two (or more) custom app-id's looking for web-browsing + http-host...

So when will PA get support for loadbalancing DNAT or for that matter ECMP? 🙂