Matching Dynamic IP

Reply
Highlighted
L1 Bithead

Matching Dynamic IP

I hope the brilliant minds here can answer my question

 

I have a situation where I need to change NAT to translate in a specific way, I am looking at how the PA's behavior specific to how it selects IP address in a NAT pool based on the mask.

 

Here is the setup

Company A uses a public IP within their DMZ  for sake of example Class A (4.0.0.0/8) address space.   Now they connected that DMZ into the internet, they are going to have an issue because of conflict on the internet.  However, Company A needs time to change the IP address, but still access the internet. 

 

Possible Solution

So let's say the temporary solution would be to  create an internet resolver that can spoof IP addresses once it see's any address within 4.0.0.0/8.  So, for example, let's say a host in the DMZ does a lookup for internet website called "companyb.example.com" it resolves to the following A record of 4.199.12.12.  The DNS receives the response and translates it to 11.199.12.12 and sends that response back to the host.  Effectively the DNS is simply flipping the 1st octet to 11 and retains the remaining 3 octets.  Then Host then makes a request to 11.199.12.12 and since 11.0.0.0/8 resolves to the internet the request heads to a PA firewall.   Now, the million dollar question is . Can you configure the NAT on the PA where it can flip the first octet 11 to 4 and retain the last 3 octets?  Thus following the example the destination IP of 11.199.12.12  translates back to 4.199.12.12.?  

If so can the behavior be consistent with /16 or /12, etc

 

-=CB=-

 

NOTE: I understand that there will be a desire to say there is a limitation of the # of IP connections in a table for PA.   I am interested in how it selects the IP  in a given NAT pool if it's set where the original packet in a /8 will match up to the destination NAT IP pool

Tags (4)
Highlighted
L5 Sessionator

Theoretically it could maybe work with DNAT for all 11.0.0.0/8 to 4.0.0.0/8 

But how will you access servers in 11.0.0.0/8 then? You would make those all inaccesible :)

 

Highlighted
L5 Sessionator

Best solution would be proxy (which is not in 4.0.0.0/8), that would solve http, https, ftp... issues

Highlighted
Cyber Elite

Hi @Bhattman

 

Does company A really have assigned a /8 subnetmask to the servers or is it a little more segmented? And if yes are the networks directly connected to the firewall or is there a router between the dmz networks snd the firewall?

Highlighted
L1 Bithead

The assumption is that the host in the DMZ leverage DNS 100% to be directed to what is required to be access.

 

Highlighted
L1 Bithead

You have to assume that they are using DNS for the most part and those that need to go without they would re-IP.   Which certainly is or managable then RE-IPing the entire environment under an aggressive timeplan. 

Highlighted
L1 Bithead

That would be a good option, but in this case they have applications that don't understand how to leverage a proxy.

Highlighted
L3 Networker

So how big of a DMZ space is it, it maybe a /8 mask but how many actual servers are in that space.

I am assuming large enough not to make static entries  ?

 

Regards,

~Harry

Highlighted
L1 Bithead

Yes it's too big to create 1-to-1 static NATs.   What I am looking for trying to answer the behavior of the PA on how it assigns IP addresses when you configure the palo Alto to NAT from /8 range to another /8 range.

 

Will it randomly choose within the /8?

Will it choose a middle of the road IP?

Will it choose the last IP of that range?

 

Or will it try to match it up the original  destination packet?

Highlighted
Cyber Elite

I have never configured it with a /8 subnet, but at least with a /24 subnet NAT will match the last octet. So I would assume if it even works with a /8 subnet, the firewall will try to match the original packet.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!