topic Incomplete sessions for NATTING/Access to different site DMZ in General Topics

Incomplete sessions for NATTING/Access to different site DMZ

infoit — Fri, 21 Aug 2020 00:02:40 GMT

Hi All,

I am having a complex and tricky setup that require NATTING and host web server in different network/site DMZ, I know it is not best practice but hope you can help:

Here is topology:

Site A zones: Trust, Untrust and DMZ with their own public IP and web servers

Site B zones: Trust, Untrust and DMZ with their own public IP and web servers

In case site B internet is down and all of the web servers in Site B is unreachable, but internal connection from Site A and Side B is up, I want to re-direct hosting Site B web server in Site A. For reasons, we cannot move the Site B server to site A.

This is what I did:

-Site A PAN Firewall: NATTING from Site A (public IP) to Site B – DMZ web server. Then allow web services access from UNTRUST

-Site B PAN firewall: Allow web services access rule to Site B DMZ web server from both TRUST and UNTRUST

Connection will be from public (UNTRUST) hit the site A public IP address (NATTING to Site B web server), then travel cross internal connection to web server in Site B DMZ. Problem is Site B firewall confused this connection from TRUST or UNTRUST, so it keeps drop and aged-out the sessions. Internal connection from SITE A to SITE B for sure is TRUST.

I know the traffic is allowed on both SiteA/B firewall, is there any better way for this scenario? Or I miss anything else.

Thanks and Regards,

Long Nguyen

Re: Incomplete sessions for NATTING/Access to different site DMZ

SutareMayur — Fri, 21 Aug 2020 10:49:50 GMT

@infoit,

First, as your traffic from public (UNTRUST) will hit the site A public IP address (NATTING to Site B web server), then travel cross internal connection to web server in Site B DMZ so traffic towards SITE-B firewall will come up with source zone as trust as it is traveling via your internal interface (trust) connected between both firewalls.

Now the source will be public IP so you need to check routing for those source public IP addresses on SITE-B Firewall. Most of the times on the firewalls, default route is set to external interface. Due to this route, the response from DMZ server at Site-B will go towards external interface (as it will match default route).

I think, this is creating problems. I can suggest few pointers -

1. If you know the source public IP addresses/networks, make proper routing on SITE-B firewall so response will go through proper path. Not sure if you would have these details as most of the times we are not aware of all public source IP addresses unless whitelisting is done.

2. You can NAT source IP address of traffic initiator on SITE-A Firewall. So if you NAT source public IP with any internal IP address (can be trust and known to SITE-B). So all the request will come from single source on SITE-B Firewall. But with this, you won't be able to see actual client IP address om DMZ end.

Re: Incomplete sessions for NATTING/Access to different site DMZ

infoit — Fri, 21 Aug 2020 18:04:25 GMT

Thank you Sutare for your ideas.

For option 1: I have a list of site A Public IP, so of I am thinking about setup a new route on Site B to re-route the traffic hitting Site B DMZ and return back to Site A public IP

Option 2: I already setup NAT source Site A IP with internal IP address on Site B already, but still fail. Routing work but I need to check if PAN inspect the traffic and drop the connection as spoofing TRUST connection from untrust.