02-10-2023 04:40 PM
DNAT Support - FW Palo Alto - Double NAT
Hello Lice Community good afternoon, first of all, thanks for the support and collaboration always.
I have received a very strange request, I have tried to configure it by trying many ways and nothing.
What does a client/costumer want:
Dnat with double Nat ie.
Internet ======= Palo Alto Public IP direct to FW ===== DNAT to IP in DMZ range (Ip within the range, but a fictitious IP, that is, DMZ has a range of 192.168.5.0/24 and will be used the IP 192.168.5.100)-----then DNAT again to the IP 10.10.10.100 ( Zone Inside ).
Now if I do it directly to the IP 10.10.10.100 the DNAT works fine. I have done other NAT DNAT source NAT, Source NAT with IP range no...
But when I do that double DNAT, it doesn't work, I've tried putting a route like /32 to the ip 192.168.3.100/32 and to 10.10.10.100/32. Place a secondary IP in the DMZ Interface/Zone.
The DNAT or NAT itself I have tried anyway.
Source any, destination DMZ 192.168.5.100 DNAT at 10.10.10.100.
Source any, destination Inside 10.10.10.100 DNAT 192.168.5.200.
And all the possible variants and nothing, no hit.
Security policies also all possible variants.
That double nat is feasible, for me it doesn't make much sense to the truth, but technically it is feasible, because no matter how much I move it, nothing happens.
Thank you, I remain attentive to any advice, collaboration, etc.
Kind regards
02-10-2023 06:45 PM - edited 02-10-2023 06:47 PM
It is easy to do.
Customer buys another Palo.
Set up external firewall that will DNAT to 192.168.5.100 and internal firewall that will perform second DNAT and voila - 2x NAT is achieved 🙂
On more serious note for Palo to send traffic to 192.168.5.100 something needs to reply to arp on that IP.
If Palo has 192.168.5.100 configured on itself it will never send out arp requests for this IP.
You can set up packet capture filter and use "show counter global filter delta yes packet-filter yes" and see why packet is dropped.
If this is not enough then take flow basic logs.
02-10-2023 04:51 PM
Did you understand what benefit customer would gain if this setup would work?
02-10-2023 05:56 PM - edited 02-10-2023 06:27 PM
Hello @Raido_Rattameister
Thanks a lot for your answer-
What the client wants, stubbornly... I have already spoken with them and told them to review it, but they were also given the full explanation that it does not make much sense or does not have added value to do something like this. But he insists on confirming the feasibility and whether Palo Alto supports it.
I clarify the detail:
Internet-----Public-Ip----IP of the range of the Interface/DMZ Zone 192.168.5.100 and that in turn when the request arrives at IP 192.168.5.100 the FW does another DNAT when hitting 5.100 DNAT towards the final IP 10.10.10.100 in the Inside interface/zone.
Summary: Internet---IpPublic---PaloAlto----DNAT to DMZ 192.168.5.100 ----SAME-FW-PaloAlto---Dnat 5.100 to 10.10.10.100 ( same PA Inside Zone ).
Internet IP---from FW---DNAT to IP dummy/loopback/ipsecondary IP of the DMZ-Zone interface ----( Not a Host IP: IP dummy/loopback/ipsecondary Interface DMZ, IP:192.168.5.100 ) ----And when it hits the 192.168.5.100 of the same Fw-PA----DNAT go to IP 10.10.10.100 the final server in the Inside/LAN zone.
For me a madness that does not make any sense, but I must justify well why not and why it cannot be done, it is not feasible or it is not convenient.
Thanks a lot
Cheers
02-10-2023 06:45 PM - edited 02-10-2023 06:47 PM
It is easy to do.
Customer buys another Palo.
Set up external firewall that will DNAT to 192.168.5.100 and internal firewall that will perform second DNAT and voila - 2x NAT is achieved 🙂
On more serious note for Palo to send traffic to 192.168.5.100 something needs to reply to arp on that IP.
If Palo has 192.168.5.100 configured on itself it will never send out arp requests for this IP.
You can set up packet capture filter and use "show counter global filter delta yes packet-filter yes" and see why packet is dropped.
If this is not enough then take flow basic logs.
02-10-2023 08:33 PM
Hello @Raido_Rattameister good evening:
Yes, hehe, it makes sense, because that double DNAT in the same firewall, understanding that the "one session/packets" Firewall cannot go through two DNATs in the same network device and/or firewall, it doesn't make much sense, going to the theoretical basis of networking and NAT.
Yes, it would be a second firewall, a load balancer and/or a reverse proxy.
Thank you
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
