topic Re: Active / Active NAT question in General Topics

Active / Active NAT question

Alex_Samad — Sat, 16 Nov 2019 10:49:36 GMT

To all the A/A users. How have you / Or can you setup SNAT so that all traffic is SNAT'ed to 1 ip .

very basic example

Eth1 - connect to 1.2.3.0/24 - interface address is 1.2.3.2/24 & 1.2.3.3/24 (A/A) 1.2.3.1 arp load balanced

eth2 - connecs to 10.10.10.0/24 interface addrss is 10.10.10.2/24 & 10.10.10.3/24 ( A/A) 10.10.10.1 arp load balanced

Policy that say every thing from eth2 leaving eth1 get SNAT to 1.2.3.1. how do I do this on A/A

Re: Active / Active NAT question

S.Cantwell — Sat, 16 Nov 2019 18:37:24 GMT

Hello

I really believe that for HA A/A you need to have L2 switches upstream/downstream the FWs.

The arp load sharing config allows for a single IP to be shared by both FWs, hence 2 virtual mac addresses.

So the arp table on the L3 switch is going to have 2 entries for the same IP, but with 2 different mac address?

How is that possible?

Based on the parity of the source IP, the FWs will load share (not balance) the sessions.

Yet, if the router has a static IP that is even, then only 1 FW would technically handle the inbound traffic.

I mean you could program the FW to use a SNAT of 1.2.3.1, but I believe that the response traffic would only go to a single FW.

What other questions can I answer for you.

Re: Active / Active NAT question

Alex_Samad — Sat, 16 Nov 2019 20:20:55 GMT

I get the L2 stuff. this is more around the NAT.

if I have 1 SNAT and say it associated with device 0 ( if I have device 0 and device 1).

if traffic enters device 1 and the rules state to use NAT, it will go to device 0 via the cross connect and then be NAT'ed and then sent out .

if the reverse if a return pack comes in and goes to device 1 it will go to device 0 and be un SNAT and then sent inside

so if device 0 fails - that nat will move to device 1 and just work there.

Is that how it works ?

Re: Active / Active NAT question

S.Cantwell — Mon, 18 Nov 2019 15:41:46 GMT

@Alex_Samad

If you have configured arp load sharing on your FWs, then both device 0 and device 1 would be sending the SNAT through their respective eth1/1 interface. It would not (to the best of my knowledge) use the HA3 to perform asynchronous routing.

If device 0 fails, then device1 will still have the SNAT on it.

What other questions can we answer for you?

Re: Active / Active NAT question

Alex_Samad — Mon, 18 Nov 2019 22:35:05 GMT

Let me expand

So I have added a diagram - might help.
So A/A cluster Device0 & Device1
The relevant link to the doco
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-separate-source-nat-ip-address-pools-for-activeactive-ha-firewalls.html#id5f921ef5-1f92-4111-9d05-c00dd4d19f7a

so my aim is to have 1 SNAT for all traffic that comes from inside (192.168.0.0/16) to outside (eth1).
The SNAT is 10.0.0.1/32 - I think just having it as a SNAT will make the PA respond to arp requests for it on eth1

on the inside I have 3 vlans 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24. With .1 being the DGW for each lan setup as Arp loading sharing

so if the NAT policy is attached to device 0 my expaction would be for 192.168.1.250 -> 10.10.10.250
192.168.1.250 -> 192.168.1.1 (goes to device 0)
device 0 has the NAT pool
SNAT 10.0.0.1 -> 10.10.10.250
then response would be 10.10.10.250 -> 10.0.0.1
so when one of the routers on the internet site does arp 10.0.0.1 device 0 will respond because it has the SNAT policy
deSNAT 10.10.10.250->192.168.1.250

That all works fine

So lets look at 192.168.3.250 -> 10.10.10.250
192.168.1.250 -> 192.168.1.1 (goes to device 1)
?? What happens here. NAP policy is only active on device 0
does the packet get send to device 0 via the HA link or ??

Re: Active / Active NAT question

S.Cantwell — Wed, 20 Nov 2019 16:59:15 GMT

Hello again.

Thanks for the picture and the detail.

There are some assumptions you made, that I want to clear up.

With ARP Load sharing, you really cannot force device 0 to own the virtual IP.

By definition, arp load sharing means BOTH FWs will own the 192.168.1.1 address

If you wanted to do Floating IP, then yes, you could have device 0 own the IP.

You would need to configure Floating IP for your outside interfaces, so that 10.0.0.1 is associated with device 0 (as you want).

How would 192.168.3.x get out? You would need to config a 2nd Floating IP for the device1 FW.

Something like this.... (IPs are not the same) but you would get the gist of it...

The idea (according to the picture) is that BOTH FWs are configured with a weighted configuration, so that each device0 or device1 FW could fail, and the other FW outside interfaces would "float" to the other FW.

Re: Active / Active NAT question

Alex_Samad — Wed, 20 Nov 2019 20:27:20 GMT

Just for clarity - yes I understand how arp loading sharing work and depending on which method you use you can predict which device responsed. From memory an increment of 1 in the 4th oct will change the device. this is similar to how arp ip load sharing work in linux - last time i looked. so yes its active on both and the pack actual gets to both its a matter of whcih device responds.

But basically you are confirming my original thought. with A/A you can't share 1 SNAT addresses. because if a packet traverses the device that doesn't have the active NAT rule - no NAT Rule would apply. That to me seems like a very big deficiency ...

Lines up with the doco though and what I got from support and from the SE - I went through this exercise nearly 2 years ago.