topic Re: Destination NAT with different subnet of Outside interface. in General Topics

Destination NAT with different subnet of Outside interface.

ParvezAhmad — Sun, 05 Jan 2014 07:39:21 GMT

Hello,

Outside interface of Palo Alto firewall is configured with aaa.bbb.ccc.ddd /30 subnet.

I have some servers in DMZ those need to be accessed via internet with IP address(es)/subnet ZZZ.XXX.YYY.VVV/24.

I have configured Destination Nat( including Security Policy) for these servers with the IP addresses as mentioned above.

Please let me know how this can work? Do we need to add static route on upstream router for new subnet?

Regards,

Re: Destination NAT with different subnet of Outside interface.

Retired Member — Sun, 05 Jan 2014 08:39:06 GMT

so you mean zzz.xxx.yyy.vvv/24 is public ip subnet also ?

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Sun, 05 Jan 2014 08:44:21 GMT

Yes, zzz.xxx.yyy.vvv/24 is public subnet.

Re: Destination NAT with different subnet of Outside interface.

Retired Member — Sun, 05 Jan 2014 09:11:05 GMT

ok so when accessing this /24 subnet from internet that traffic should come to aaa.bbb.ccc.ddd /30's interface(upstream should route that traffic)

you can add this /24 subnet to the outside interface as second.

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Sun, 05 Jan 2014 11:15:11 GMT

panos, would please let me know how we can add secondary IP address to Outside interface of FW?

Re: Destination NAT with different subnet of Outside interface.

Retired Member — Sun, 05 Jan 2014 11:26:39 GMT

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Sun, 05 Jan 2014 11:30:14 GMT

panos, Thanks a lot.

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Wed, 08 Jan 2014 09:00:31 GMT

panos, I have configured upstream router with static routes for secondary subnet towards outside interface of PA FW.

Apart from this Destination Nat is configured with Security Policies to allow the traffic.

Would you please let us know how to troubleshoot? still the servers are not accessible from internet form secondary subnet.

Regards,

Parvez

Re: Destination NAT with different subnet of Outside interface.

Retired Member — Wed, 08 Jan 2014 09:44:37 GMT

you may use packet capture to troubleshoot while accessing from outside to that secondary subnet

so that we'll see if traffic comes(and we drop) or not

if not so problem is related to upstream

Re: Destination NAT with different subnet of Outside interface.

Gregoux — Wed, 08 Jan 2014 11:04:33 GMT

be careful about the rule

you have to create the rule from internet to DMZ base on the ZZZ.XXX.YYY.VVV/24 ip and not on the NAT ip.

if you have a rule like deny all at the bottom of the rule list, you will see if a deny action is present in the traffic log.

regard's

Re: Destination NAT with different subnet of Outside interface.

VinceM — Wed, 08 Jan 2014 12:47:40 GMT

Keep that in mind :

Hope help

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Wed, 08 Jan 2014 12:54:10 GMT

Gregoux, If I will put deny all at the bottom, Do we need to allow separate rules outside to outside, DMZ to DMZ and Inside to inside for all traffic.

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Wed, 08 Jan 2014 12:58:05 GMT

Thanks a lot. I created the rules as mentioned in this snapshot.

Re: Destination NAT with different subnet of Outside interface.

ParvezAhmad — Thu, 23 Jan 2014 12:43:39 GMT

Thanks a lot . The migration was successful.