topic Re: Source NAT subnet from wrong interface in General Topics

Source NAT subnet from wrong interface

Pederjohansson — Thu, 23 Nov 2017 07:47:05 GMT

Hi, So im having difficult with a source nat to Internet.. My goal is to route traffic between two vlans in my cisco 2960x switch and let palo handle the rest.. The problem is that the source net arrives to the palo on the wrong interface (well its expected..)

i have zone already configuerd in the palo fw with zones, interface. Ive created a access rule from zone1, with source net 10.20.31.0 and i see in the log that the traffic allows from zone1 with source net 10.20.31.0.. But the NAT rule i cant get to work.. need help 🙂

palo

zone1: 10.20.30.0

zone2: 10.20.31.0

2960x

vlan1: 10.20.30.0

vlan2:10.20.31.0

vlan1-2 routes in cisco 2960x

default route to 10.20.30.2 (palo)

Re: Source NAT subnet from wrong interface

reaper — Thu, 23 Nov 2017 09:23:22 GMT

Can you provide some more details,. like for example what you mean with 'wrong interface' as this is not clear from your explanation

Did you create 2 subinterfaces, each with their own zone/vlan tag?

If you want to route between the 2 vlans adn perform NAT it's probably better to have the firewall perform routing while also taking care of NAT

Re: Source NAT subnet from wrong interface

pulukas — Thu, 23 Nov 2017 12:43:52 GMT

If you have no need to control traffic between the zone 1 and zone 2, I see no reason to create the two interfaces and zones on the PA.

From what you describe I assume that the single default route of your switch along with local routing is having all the traffic from both subnets arrrive on the PA via your "zone 1" interface.

You can simply treat both subnets as the same zone and have a route on the PA that pushes the second subnet out the existing "zone 1" interface and delete the zone 2 interface entirely.

Any special treatment of the two subnets could be handled by security policies based simply on the subnet in the same zone just as easily for the external internet access.

Re: Source NAT subnet from wrong interface

Pederjohansson — Thu, 23 Nov 2017 12:51:35 GMT

palo config (updated)

zone1: 10.20.30.0 subinterface attached with own zone, vlan tag

zone2: 10.20.31.0 subinterface attached with own zone, vlan tag

what i mean with wrong interface is that 10.20.31.0 client traffic hits the "zone1" zone (zone1, source address 10.20.31.0) in the fw because the default route in the switch is 10.20.30.4.. i want the switch to handle routing to have high Throughput. So im struggeling with the NAT.

How should a nat be created for this?

Is it possible to do this, with diffrent zones ?

Or do i need to put both subnet in one zone? (this works, but then i need to change all access rules to check source network 10.20.31 or 10.20.30 to control the traffic.)

Is this good solution? 🙂

Re: Source NAT subnet from wrong interface

Pederjohansson — Thu, 23 Nov 2017 13:04:03 GMT

thanks for the input puklukas, i belive it is better to treat both subnets as the same zone after some testing today. if i trust the traffic in the switch i can trust it in PA and set security rules on the source address. I will test some more.. But for the NAT is it even possible for the PA to handle this? (If a seperate the two subnets to diffrent zones)

Re: Source NAT subnet from wrong interface

pulukas — Sat, 25 Nov 2017 16:12:28 GMT

You pretty much have to have these two interfaces in the same zone. As you note, there is only one default route on the switch so all the traffic out will use that interface to the PA regardless of which subnet the computers are in.

You can then create two nat rules if you want the two subnets to nat to different addresses and that can easily be in the same zone.

I guess I am not understanding which configuration you are having problems making specific that cannot be done with the two subnets and interfaces in the same zone. Can you post an example?