How to create an internal type NAT?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to create an internal type NAT?

L4 Transporter

Hello folks,

 

Not sure if my question is worded just right, but here goes. 🙂

 

We have a partner company that has a Juniper NAT type of device plugged into our PA 3020 that does a NAT to a server in there environment, which we communicate with fine using the 10.1.5.x network.


I am being asked to do something similar on our side.  Today they are able to communicate with our server using its 10.1.2.15 address (production subnet).  My manager is asking if I could create an IP that is not on our production subnet but then will NAT to the 10.1.2.15 instead.  This is so that if/when an IP needs to change, we would just change the firewall rule and also to not expose details about our production subnet.

 

Would anyone have a suggestion for how to do this?  Loopback and DNAT in some way?

 

Current config on left, proposed on the right:

PANAT.jpg

1 accepted solution

Accepted Solutions

You can use any spare ip within the 10.1.5.x subnet in DNAT config. Firewall will reply for ARP request by default for that ip

View solution in original post

6 REPLIES 6

L6 Presenter

Can you simply have DNAT on the Palo 10.1.5.252 ip address?

Thanks!  I think you mean a DNAT that could say destination of ip 10.1.5.252 translate to 10.1.2.15?

 

10.1.5.252 is the interface IP on our 3020 that represents their network (gateway).  Maybe that could work. 

I've not done this scenario, will try it on my home PA 200 and report back.

Interesting scenario with DG, but yeah it should work. Why not. Just give a go

Thank you for the feedback!

 

I believe I have worked something out here.  Considering that I needed two IP addresses, I can not use the gateway IP.  However, your suggestion gives guidance that I can use the 10.1.5.x network as a shared network (subnet) between the two of us.  I was orginally considering creating a new subnet somehow. 

 

We will will be doing a NAT from this network to separate (or "mask") our respective inside production networks from each other. 

 

When I get back from vacation (worked it out day before I left), I will add my rules and diagram for reference.

You can use any spare ip within the 10.1.5.x subnet in DNAT config. Firewall will reply for ARP request by default for that ip

Yea I believe I understand this now.  I can use any 10.1.5.x IP.  We are using 10.1.5.x as a common network between us and use NAT rules to "hide" the details of our internal networks.

 

I got this working at my job as well.  I am posting my test sample configuration here for reference and close this thread.

 

DNAT rule.  Of course I have a security rule in place that allows permissions between the zones.

DNAT.jpg

 

Diagram

visioDNAT.jpg

 

  • 1 accepted solution
  • 3084 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!