Adding in an additional new firewall to the edge, attracting return traffic

Reply
Highlighted
L3 Networker

Adding in an additional new firewall to the edge, attracting return traffic

I currently have a Brand X firewall at our perimeter with a /24 on the outside and private addressing on the inside. 

I want to add a PAN in parallel to the current firewall and gradually move services from Brand X to PAN. 

The plan at present is to take a /26 of the public space and route to the PAN outside interface from the edge routes.

The trick is that the return traffic to the client on the Internet needs to be attracted to the PAN firewall and not to Brand X firewall to which the default route now points. My plan is to NAT the source IP as the traffic comes inside the PAN.

 

BUT the problem is if I have a load balancer inside using source IP for balancing that would break. And there could be some applications that want to know the real public source IP. Are there any other approaches that I'm missing with regards to having servers send the traffic back to the PAN regardless of the default route on the inside? 

 

If in the end I just need to do source IP NAT I may be able to live with it. But I wanted to ping the hive brain.


Accepted Solutions
Highlighted
L7 Applicator

on the outside the PAN will be able to use proxy-arp to assimilate IP addresses. for every NAT rule you create with an IP in the /24 range, the PAN will send out proxy-arp, letting the routers know it owns those IPs (just make sure no other device uses or proxy-arps for that IP)

 

on the inside it kind of depends on your design and available hardware

if the inside is a flat network with the default gateway set to brandX, setting source-nat to the pan inside interface for inbound connections will be the easiest way to trick inside hosts to reply to the PAN

The same trick with proxy-arp applies to the inside interface: you could set up dynamic-IP nat and provide the PAN with an IP pool, which may help overcome the loadbalancing issues

 

if the inside router/loadbalancer supports policy based forwarding/routing you could set up source routes toward the PAN

 

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L7 Applicator

on the outside the PAN will be able to use proxy-arp to assimilate IP addresses. for every NAT rule you create with an IP in the /24 range, the PAN will send out proxy-arp, letting the routers know it owns those IPs (just make sure no other device uses or proxy-arps for that IP)

 

on the inside it kind of depends on your design and available hardware

if the inside is a flat network with the default gateway set to brandX, setting source-nat to the pan inside interface for inbound connections will be the easiest way to trick inside hosts to reply to the PAN

The same trick with proxy-arp applies to the inside interface: you could set up dynamic-IP nat and provide the PAN with an IP pool, which may help overcome the loadbalancing issues

 

if the inside router/loadbalancer supports policy based forwarding/routing you could set up source routes toward the PAN

 

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374

View solution in original post

Highlighted
L3 Networker

Thank you. I didn't realize that this could be accomplished with the proxy arping at the PAN. 

And Dynamic NAT on the inside with a pool is also an interesting thought on dealing with 

the load balancer. The policy routing could have a place too. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!