DMZ and Destination NAT using same subnet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DMZ and Destination NAT using same subnet

L4 Transporter

We have migrated from a TMG (ISA) and Cisco Firewall deployment to a PAN firewall with the TMG being used to do proxy and URL redirection. We have a /25 IP range from our ISP that is used for public addresses. We currently have the environment configured so that the PAN does Destination NATs to our internal web non-sharepoint sites. The TMG is used for our sharepoint sites because of the URL rewrite options of the TMG, and because of the way our sharepoint admin set up the environment. The TMG is currently on a VLAN (vlan136) that is shared with the External interface using the same External Zone. This was set up with PBF rules so that traffic that was meant for the TMG would be sent to the TMG, otherwise the traffic is "routed" through the PANs NAT rules for any untrusted to trusted traffic.

We tried without success to move the TMG off of the vlan and into its own zone. What occurred was that the PAN routed all traffic to the new DMZ Zone, regardless of the NAT rules. We were told that NAT rules take precedence over routing, so we thought we would be OK. We would like to put in a netscaler to replace the TMG in the near future, but we don't know how this is going to function. We do not want the TMG inline with our PAN because of the throughput, and we do not want all of the issues that we had when it was our main firewall! Below is what we are trying to do. Any ideas would be greatly appreciated


9-17-2012 3-29-01 PM.jpg

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
1 accepted solution

Accepted Solutions

I think the setup will be easier to understand if you split up the "functions" (and perhaps use different naming):

1) External <-> "IPS" <-> TMG

2) External <-> "FW" <-> Internal

But instead of using two different boxes you will just use one (well or a failover pair). You could also segment the dataplanes by using VSYS if you prefer.

When in VWIRE the PA will (for the particular interfaces) function just like when you use an IPS - transparent for the surrounding equipment. But compared to an IPS the PA will be a full blown firewall (which includes IPS capabilities). Full blown firewall in terms of being able to filter the traffic not only on ip/port but also application along with SSL-termination and such.

Another way to describe this would be when using VWIRE the box "is not there".

So in your case one could describe the setup as:

1) External <-> TMG

2) External <-> FW <-> Internal

Meaning that the TMG will not see the PA at all, just as if the TMG box would sit directly on the external switch/router.

Regarding the VLAN interfaces its just how I prefer to define stuff, of course you wont need a particular VLAN interface on the PA - a L3 interface will be just fine.

So to clean it up 😉

int1: vwire-int zone vwire_tmg

int2: vwire-int zone vwire_external

int3: L3-int 10.x.x.x zone internal

int4: L3-int 156.98.x.x zone external

or if using VSYS:

VSYS1 (TMGFW):

int1: vwire-int zone vwire_tmg

int2: vwire-int zone vwire_external

VSYS2 (CLIENTFW):

int3: L3-int 10.x.x.x zone internal

int4: L3-int 156.98.x.x zone external

View solution in original post

5 REPLIES 5

L6 Presenter

Is it possible for you to split that /25 into smaller chunks?

I mean if the TMG zone must use public ip addresses you can assign the first /26 for that. The second /26 will be used for outgoing SNAT (like internal-zone web.browsing) and/or incoming DNAT (going to your non-sharepoint sites sitting on WEB zone using RFC1918 addresses).

Another option would of course be to use RFC1918 on all your DMZ's and then just SNAT/DNAT that /25 in whatever way you wish (assuming that 156.98.x.x is just a linknet between your PA and the ISP).

Edit: See for hints on how to setup the NAT-rules and Security-policy.

Thanks for the response. I had considered splitting into smaller chunks, but that would entail readdressing some 20 devices and requesting the State to change DNS, and requesting changes to other government agency owned devices that are using those IPs. It may be a course to take but I would like to expore other avenues. We do SNAT/DNAT for some of our devices, but this DMZ range has devices that are owned and operated from other government entities.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

Yeah that would suck because you are then basically locked into how it looks today.

What if you set it up as vwire?

I mean something like:

int1: vwire towards zone vwire_tmg

int2: vwire towards zone vwire_external

int3: vlanX 10.x.x.x zone internal

int4: vlanY 156.98.x.x zone external

And then you setup SNAT/DNAT for 136.234.x.x ip addresses except for the ip's used by the TMG which the vwire would solve for you?

Because with vwire it should be just like if you connected the TMG directly to the external switch/router.

That sounds intriguing. It is what a Palo Engineer also suggested, but I didn't understand completely how it would work.  So what you are saying would be to:

1. create a vwire between 2 interfaces

2. Assign zones vmwire_tmg and vmwire_external to the appropriate interfaces

3. Keep the vlan for the external interface and create a vlan for internal, change the internal interface to L2 and assign it to the internal vlan.

Do I actually need the External and Internal to be VLAN interfaces? Couldn't they be L3? I guess I don't understand what function that provides.

9-24-2012 1-01-35 PM.jpg

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

I think the setup will be easier to understand if you split up the "functions" (and perhaps use different naming):

1) External <-> "IPS" <-> TMG

2) External <-> "FW" <-> Internal

But instead of using two different boxes you will just use one (well or a failover pair). You could also segment the dataplanes by using VSYS if you prefer.

When in VWIRE the PA will (for the particular interfaces) function just like when you use an IPS - transparent for the surrounding equipment. But compared to an IPS the PA will be a full blown firewall (which includes IPS capabilities). Full blown firewall in terms of being able to filter the traffic not only on ip/port but also application along with SSL-termination and such.

Another way to describe this would be when using VWIRE the box "is not there".

So in your case one could describe the setup as:

1) External <-> TMG

2) External <-> FW <-> Internal

Meaning that the TMG will not see the PA at all, just as if the TMG box would sit directly on the external switch/router.

Regarding the VLAN interfaces its just how I prefer to define stuff, of course you wont need a particular VLAN interface on the PA - a L3 interface will be just fine.

So to clean it up 😉

int1: vwire-int zone vwire_tmg

int2: vwire-int zone vwire_external

int3: L3-int 10.x.x.x zone internal

int4: L3-int 156.98.x.x zone external

or if using VSYS:

VSYS1 (TMGFW):

int1: vwire-int zone vwire_tmg

int2: vwire-int zone vwire_external

VSYS2 (CLIENTFW):

int3: L3-int 10.x.x.x zone internal

int4: L3-int 156.98.x.x zone external

  • 1 accepted solution
  • 5030 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!