Internet to Shared Gateway

Reply
Highlighted
Not applicable

Internet to Shared Gateway

Has anyone used a Shared Gateway for inbound connectivity? For example, if one wanted to host both an "Internet Surfing" Vsys for people to use for outbound Internet traffic and a separate vsys for a DMZ style setup, where users from the Internet would initiate connections into an environment.

My real question lies in a scenario where you would have a proxy-arp for inbound from the Internet connectivity. If your shared gateway hosted an IP address of 172.16.0.1 and  was on a 172.16.0.0/24 network, and you had additional hosts that would receive connections using public IPs from this range (let's say 172.16.0.2 represents an internal 192.168.0.2 server), would the NAT setup take place on the external gateway? I believe it would.

More importantly, if the NAT rule is applied on the external gateway to allow this, would the corresponding security rule use the orignal IP address as a destination (172.16.0.2) or the NAT'd address (192.168.0.2).

I know without shared gateways being involved, you'd use the original IP in both the security and NAT rule. In this case though, does the NAT occur BEFORE it's handed off to the proper vsys for security evaluation?

I appreciate you all taking the time to look this one over.

Highlighted
Not applicable

Re: Internet to Shared Gateway

I might have stumbled across my own answer. In standard NAT setups the NAT isn't applied until the traffic egresses the firewall interface (according to documentation). If that's the case here, I'm assuming the NAT rule would have to be configured on the Shared Gateway (so it would proxy arp for the incoming session), but the Security policy would still use the original (un-NAT'd) address as the traffic still has not physicaly left the unit.

Is that correct?

Highlighted
Not applicable

Re: Internet to Shared Gateway

Or arguably perhaps the Shared Gateway follows the same rules as a vsys for NAT, except it has no Security policy, so it simply performs the NAT based on the NAT rule and then routes it on to the vsys.

(I'm starting to talk myself in circles now). :smileyhappy:

Highlighted
Not applicable

Re: Internet to Shared Gateway

Well, further testing has shown that, in the case of shared gateways, the NAT rules applied to that gateway are applied before the traffic is forwarded inside to the vsys. I was able to successfully ping a test machine hosted off an internal interface on a vsys from the Internet using a destination NAT.

The way I did this was to enter the destination NAT in the NAT policy of the shared gateway. Then, a security rule on the vsys using the internal (post-NAT) IP address of the host in question.

I'm assuming at this point that having the traffic egress the shared gateway to the vsys is, in effect, like having traffic traverse an egress interface on the firewall. That is, NAT is applied as it egresses the shared gateway via the external zone I created between it and the vsys.

Does this match up with anyone else's testing? Does Palo Alto support have any documentation for this that I am missing?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!