Active / Active NAT question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Active / Active NAT question

L4 Transporter

Hi

 

To all the A/A users. How have you / Or can you setup SNAT so that all traffic is SNAT'ed to 1 ip .

 

very basic example

 

Eth1 - connect to 1.2.3.0/24 - interface address is 1.2.3.2/24 & 1.2.3.3/24 (A/A)  1.2.3.1 arp load balanced

eth2 - connecs to 10.10.10.0/24 interface addrss is 10.10.10.2/24  & 10.10.10.3/24 ( A/A) 10.10.10.1 arp load balanced

 

Policy that say every thing from eth2 leaving eth1 get SNAT to 1.2.3.1. how do I do this on A/A

 

A

 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello

 

I really believe that for HA A/A you need to have L2 switches upstream/downstream the FWs.

The arp load sharing config allows for a single IP to be shared by both FWs, hence 2 virtual mac addresses.

So the arp table on the L3 switch is going to have 2 entries for the same IP, but with 2 different mac address?

How is that possible?

 

clipboard_image_2.png

 

Based on the parity of the source IP, the FWs will load share (not balance) the sessions.

Yet, if the router has a static IP that is even, then only 1 FW would technically handle the inbound traffic.

 

I mean you could program the FW to use a SNAT of 1.2.3.1, but I believe that the response traffic would only go to a single FW.

 

What other questions can I answer for you.

 

 

 

Help the community: Like helpful comments and mark solutions

Hi

 

I get the L2 stuff. this is more around the NAT.

 

if I have 1 SNAT and say it associated with device 0 ( if I have device 0 and device 1).

 

if traffic enters device 1 and the rules state to use NAT, it will go to device 0 via the cross connect and then be NAT'ed and then sent out .

 

if the reverse if a return pack comes in and goes to device 1 it will go to device 0 and be un SNAT and then sent inside

 

so if device 0 fails - that nat will move to device 1 and just work there.

 

Is that how it works ?

@Alex_Samad

 

If you have configured arp load sharing on your FWs, then both device 0 and device 1 would be sending the SNAT through their respective eth1/1 interface.   It would not (to the best of my knowledge) use the HA3 to perform asynchronous routing.

 

If device 0 fails, then device1 will still have the SNAT on it. 

 

What other questions can we answer for you?

 

Help the community: Like helpful comments and mark solutions

Let me expand

clipboard_image_0.png

 

Hi

So I have added a diagram - might help.
So A/A cluster Device0 & Device1
The relevant link to the doco
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/set-up-activeactive-ha/d...

so my aim is to have 1 SNAT for all traffic that comes from inside (192.168.0.0/16) to outside (eth1).
The SNAT is 10.0.0.1/32 - I think just having it as a SNAT will make the PA respond to arp requests for it on eth1


on the inside I have 3 vlans 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24. With .1 being the DGW for each lan setup as Arp loading sharing

so if the NAT policy is attached to device 0 my expaction would be for 192.168.1.250 -> 10.10.10.250
192.168.1.250 -> 192.168.1.1 (goes to device 0)
device 0 has the NAT pool
SNAT 10.0.0.1 -> 10.10.10.250
then response would be 10.10.10.250 -> 10.0.0.1
so when one of the routers on the internet site does arp 10.0.0.1 device 0 will respond because it has the SNAT policy
deSNAT 10.10.10.250->192.168.1.250

That all works fine

So lets look at 192.168.3.250 -> 10.10.10.250
192.168.1.250 -> 192.168.1.1 (goes to device 1)
?? What happens here. NAP policy is only active on device 0
does the packet get send to device 0 via the HA link or ??

 

 

 

 

Hello again.

 

Thanks for the picture and the detail.

 

There are some assumptions you made, that I want to clear up.

With ARP Load sharing, you really cannot force device 0 to own the virtual IP.

 

clipboard_image_0.png

By definition,  arp load sharing means BOTH FWs will own the 192.168.1.1 address

 

clipboard_image_1.png

 

If you wanted to do Floating IP, then yes, you could have device 0 own the IP.

 

clipboard_image_2.png

 

You would need to configure Floating IP for your outside interfaces, so that 10.0.0.1 is associated with device 0 (as you want).

How would 192.168.3.x get out?  You would need to config a 2nd Floating IP for the device1 FW.

 

Something like this.... (IPs are not the same) but you would get the gist of it... 

 

clipboard_image_3.png

 

The idea (according to the picture) is that BOTH FWs are configured with a weighted configuration, so that each device0 or device1 FW could fail, and the other FW outside interfaces would "float" to the other FW.

 

clipboard_image_0.png

Help the community: Like helpful comments and mark solutions

HI

 

Just for clarity - yes I understand how arp loading sharing work and depending on which method you use you can predict which device responsed.  From memory an increment of 1 in the 4th oct will change the device. this is similar to how arp ip load sharing work in linux - last time i looked. so yes its active on both and the pack actual gets to both its a matter of whcih device responds.

 

But basically you are confirming my original thought. with A/A you can't share 1 SNAT addresses. because if  a packet traverses the device that doesn't have the active NAT rule - no NAT Rule would apply.   That to me seems like a very big deficiency ...

 

Lines up with the doco though and what I got from support and from the SE - I went through this exercise nearly 2 years ago.

 

 

  • 3143 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!