- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-18-2020 09:58 PM
I currently have a Brand X firewall at our perimeter with a /24 on the outside and private addressing on the inside.
I want to add a PAN in parallel to the current firewall and gradually move services from Brand X to PAN.
The plan at present is to take a /26 of the public space and route to the PAN outside interface from the edge routes.
The trick is that the return traffic to the client on the Internet needs to be attracted to the PAN firewall and not to Brand X firewall to which the default route now points. My plan is to NAT the source IP as the traffic comes inside the PAN.
BUT the problem is if I have a load balancer inside using source IP for balancing that would break. And there could be some applications that want to know the real public source IP. Are there any other approaches that I'm missing with regards to having servers send the traffic back to the PAN regardless of the default route on the inside?
If in the end I just need to do source IP NAT I may be able to live with it. But I wanted to ping the hive brain.
08-18-2020 11:32 PM - edited 08-18-2020 11:33 PM
on the outside the PAN will be able to use proxy-arp to assimilate IP addresses. for every NAT rule you create with an IP in the /24 range, the PAN will send out proxy-arp, letting the routers know it owns those IPs (just make sure no other device uses or proxy-arps for that IP)
on the inside it kind of depends on your design and available hardware
if the inside is a flat network with the default gateway set to brandX, setting source-nat to the pan inside interface for inbound connections will be the easiest way to trick inside hosts to reply to the PAN
The same trick with proxy-arp applies to the inside interface: you could set up dynamic-IP nat and provide the PAN with an IP pool, which may help overcome the loadbalancing issues
if the inside router/loadbalancer supports policy based forwarding/routing you could set up source routes toward the PAN
08-18-2020 11:32 PM - edited 08-18-2020 11:33 PM
on the outside the PAN will be able to use proxy-arp to assimilate IP addresses. for every NAT rule you create with an IP in the /24 range, the PAN will send out proxy-arp, letting the routers know it owns those IPs (just make sure no other device uses or proxy-arps for that IP)
on the inside it kind of depends on your design and available hardware
if the inside is a flat network with the default gateway set to brandX, setting source-nat to the pan inside interface for inbound connections will be the easiest way to trick inside hosts to reply to the PAN
The same trick with proxy-arp applies to the inside interface: you could set up dynamic-IP nat and provide the PAN with an IP pool, which may help overcome the loadbalancing issues
if the inside router/loadbalancer supports policy based forwarding/routing you could set up source routes toward the PAN
08-19-2020 06:55 AM
Thank you. I didn't realize that this could be accomplished with the proxy arping at the PAN.
And Dynamic NAT on the inside with a pool is also an interesting thought on dealing with
the load balancer. The policy routing could have a place too.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!