I hope the brilliant minds here can answer my question
I have a situation where I need to change NAT to translate in a specific way, I am looking at how the PA's behavior specific to how it selects IP address in a NAT pool based on the mask.
Here is the setup
Company A uses a public IP within their DMZ for sake of example Class A (184.108.40.206/8) address space. Now they connected that DMZ into the internet, they are going to have an issue because of conflict on the internet. However, Company A needs time to change the IP address, but still access the internet.
So let's say the temporary solution would be to create an internet resolver that can spoof IP addresses once it see's any address within 220.127.116.11/8. So, for example, let's say a host in the DMZ does a lookup for internet website called "companyb.example.com" it resolves to the following A record of 18.104.22.168. The DNS receives the response and translates it to 22.214.171.124 and sends that response back to the host. Effectively the DNS is simply flipping the 1st octet to 11 and retains the remaining 3 octets. Then Host then makes a request to 126.96.36.199 and since 188.8.131.52/8 resolves to the internet the request heads to a PA firewall. Now, the million dollar question is . Can you configure the NAT on the PA where it can flip the first octet 11 to 4 and retain the last 3 octets? Thus following the example the destination IP of 184.108.40.206 translates back to 220.127.116.11.?
If so can the behavior be consistent with /16 or /12, etc
NOTE: I understand that there will be a desire to say there is a limitation of the # of IP connections in a table for PA. I am interested in how it selects the IP in a given NAT pool if it's set where the original packet in a /8 will match up to the destination NAT IP pool
Theoretically it could maybe work with DNAT for all 18.104.22.168/8 to 22.214.171.124/8
But how will you access servers in 126.96.36.199/8 then? You would make those all inaccesible :)
Does company A really have assigned a /8 subnetmask to the servers or is it a little more segmented? And if yes are the networks directly connected to the firewall or is there a router between the dmz networks snd the firewall?
You have to assume that they are using DNS for the most part and those that need to go without they would re-IP. Which certainly is or managable then RE-IPing the entire environment under an aggressive timeplan.
So how big of a DMZ space is it, it maybe a /8 mask but how many actual servers are in that space.
I am assuming large enough not to make static entries ?
Yes it's too big to create 1-to-1 static NATs. What I am looking for trying to answer the behavior of the PA on how it assigns IP addresses when you configure the palo Alto to NAT from /8 range to another /8 range.
Will it randomly choose within the /8?
Will it choose a middle of the road IP?
Will it choose the last IP of that range?
Or will it try to match it up the original destination packet?
I have never configured it with a /8 subnet, but at least with a /24 subnet NAT will match the last octet. So I would assume if it even works with a /8 subnet, the firewall will try to match the original packet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!