AWS NAT not coming back

Reply
L1 Bithead

AWS NAT not coming back

Hello,

I tried to setup the nat, I can see my NAT and Security rule are being hit, but traffic is not flowing

 

Bundle 1

Interface Swap (tested this with no swap too, and it didn;t work)

All of the 3 interfaces disabled src destination

all of them same sg, 0.0.0.0./0

eth0 and eth1 are on the same subnet (public) with a route 0.0.0.0/0 to igw

eth0 and eth1 both have a elastic ip attached

 

eth2 is on the private subnet, route 0.0.0.0/0 points to eth2

Server is on the same subnet as eth2

 

DHCP seems to pick up the proper IPs (internal ips)

 

My nat rule

Source: Trust -> Untrust
Destination ethernet1.1

source: any

destination: any

service any

Source Translation: dynamic ip and port <<PRIVATE IP ADDRESS of eth1>>

 

Hit count: over 2000+

 

For my security rule

Universal, any, any, any .. any, allow. Hit count 3000+ 

 

Monitor shows "aged out", allowed, so it the traffic flows one way, but it doesn't come back!

 

Attached is a screenshot, the internal machine (172.31.73.88 pings google 172.217.4.99

172.31.38.193 is my eth1 "untrust" 

 

Thanks in advance

 

Screen Shot 2019-11-13 at 10.03.52 PM.png

 

 

Here's a request to google port 80

 

Screen Shot 2019-11-13 at 10.13.30 PM.png

 

nat rule

 

Screen Shot 2019-11-13 at 10.23.49 PM.png

L3 Networker

Re: AWS NAT not coming back

2 Thoughts.

  1. Check your default route in the VR.  Ideally, you should use DHCP on both interfaces in the firewall and ensure to Uncheck "Automatically create default route..." on the Trust side Interface so that you only inherit the default route on E1/1.
  2. Change the Source Translation in your NAT rule to: 
    • Translation Type: DIPP
    • Address Type: Interface Address
    • Interface: ethernet 1/1
    • IP Address: None

 

 

L1 Bithead

Re: AWS NAT not coming back

Thanks

 

I made those changes

 

The nat is working if the trust ENI is on the same subnet than the server I'm trying to nat. 

 

is there any way I can point other route tables to this ENI? I made the change but they can't connect to internet.

 

Thank you

L3 Networker

Re: AWS NAT not coming back

Excellent, that is a step in the right direction.  Create a static route on the firewall VR to send all of the VPC subnets that are behind the firewall out of the Eth1/2 interface to the first IP in the firewall's Trust Subnet.  AWS will then route it to the Server subnet.

 

I assume the Server subnet has a 0/0 route point to the Trust side of the firewall?

L1 Bithead

Re: AWS NAT not coming back

Thanks

 

This is how my network looks like

 

Palo in Public
A same subnet that the trust interface, works fine

B diff subnet,  same vpc, same Route Table, pointing to that ENI

 

 

Screen Shot 2019-11-14 at 8.27.35 AM.png

 

 

For the route you mention, Unfortunately... I don't know how.. this is above the knowledge I have for this POC

 

This is why I tried

 

172.31.0.0/16 is my VPC CIDR

172.31.38.193 is the private IP of the "non trust interface"

Screen Shot 2019-11-14 at 8.30.43 AM.png

L3 Networker

Re: AWS NAT not coming back

Rather than specifying your Trust side IP of the firewall as the next hop in that route.  Set the next-hop IP to the first IP of the Trust subnet which is the AWS router IP.

 

ie. if the Trust subnet is /24, set the next-hop to 172.31.38.1

L1 Bithead

Re: AWS NAT not coming back

what I learning experience!

 

My original routes

Screen Shot 2019-11-14 at 8.41.01 AM.png

 

Then I added the VPC CIDR pointing to the "gateway of the trust interface" (Trust = 172.31.123.37)

Screen Shot 2019-11-14 at 8.54.52 AM.png

 

New route

 

Screen Shot 2019-11-14 at 8.51.57 AM.png

 

Thanks for all your help, just documenting here if someone is on the same spot

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!