topic Re: How to create an internal type NAT? in General Topics

How to create an internal type NAT?

OMatlock — Mon, 31 Jul 2017 15:48:31 GMT

Hello folks,

Not sure if my question is worded just right, but here goes. 🙂

We have a partner company that has a Juniper NAT type of device plugged into our PA 3020 that does a NAT to a server in there environment, which we communicate with fine using the 10.1.5.x network.

I am being asked to do something similar on our side. Today they are able to communicate with our server using its 10.1.2.15 address (production subnet). My manager is asking if I could create an IP that is not on our production subnet but then will NAT to the 10.1.2.15 instead. This is so that if/when an IP needs to change, we would just change the firewall rule and also to not expose details about our production subnet.

Would anyone have a suggestion for how to do this? Loopback and DNAT in some way?

Current config on left, proposed on the right:

Re: How to create an internal type NAT?

TranceforLife — Mon, 31 Jul 2017 16:07:33 GMT

Can you simply have DNAT on the Palo 10.1.5.252 ip address?

Re: How to create an internal type NAT?

OMatlock — Mon, 31 Jul 2017 16:34:58 GMT

Thanks! I think you mean a DNAT that could say destination of ip 10.1.5.252 translate to 10.1.2.15?

10.1.5.252 is the interface IP on our 3020 that represents their network (gateway). Maybe that could work.

I've not done this scenario, will try it on my home PA 200 and report back.

Re: How to create an internal type NAT?

TranceforLife — Mon, 31 Jul 2017 20:01:26 GMT

Interesting scenario with DG, but yeah it should work. Why not. Just give a go

Re: How to create an internal type NAT?

OMatlock — Tue, 08 Aug 2017 12:41:38 GMT

Thank you for the feedback!

I believe I have worked something out here. Considering that I needed two IP addresses, I can not use the gateway IP. However, your suggestion gives guidance that I can use the 10.1.5.x network as a shared network (subnet) between the two of us. I was orginally considering creating a new subnet somehow.

We will will be doing a NAT from this network to separate (or "mask") our respective inside production networks from each other.

When I get back from vacation (worked it out day before I left), I will add my rules and diagram for reference.

Re: How to create an internal type NAT?

TranceforLife — Tue, 08 Aug 2017 12:44:51 GMT

You can use any spare ip within the 10.1.5.x subnet in DNAT config. Firewall will reply for ARP request by default for that ip

Re: How to create an internal type NAT?

OMatlock — Mon, 04 Sep 2017 13:13:23 GMT

Yea I believe I understand this now. I can use any 10.1.5.x IP. We are using 10.1.5.x as a common network between us and use NAT rules to "hide" the details of our internal networks.

I got this working at my job as well. I am posting my test sample configuration here for reference and close this thread.

DNAT rule. Of course I have a security rule in place that allows permissions between the zones.

Diagram