- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-19-2018 03:54 PM - edited 04-19-2018 04:14 PM
I hope the brilliant minds here can answer my question
I have a situation where I need to change NAT to translate in a specific way, I am looking at how the PA's behavior specific to how it selects IP address in a NAT pool based on the mask.
Here is the setup
Company A uses a public IP within their DMZ for sake of example Class A (4.0.0.0/8) address space. Now they connected that DMZ into the internet, they are going to have an issue because of conflict on the internet. However, Company A needs time to change the IP address, but still access the internet.
Possible Solution
So let's say the temporary solution would be to create an internet resolver that can spoof IP addresses once it see's any address within 4.0.0.0/8. So, for example, let's say a host in the DMZ does a lookup for internet website called "companyb.example.com" it resolves to the following A record of 4.199.12.12. The DNS receives the response and translates it to 11.199.12.12 and sends that response back to the host. Effectively the DNS is simply flipping the 1st octet to 11 and retains the remaining 3 octets. Then Host then makes a request to 11.199.12.12 and since 11.0.0.0/8 resolves to the internet the request heads to a PA firewall. Now, the million dollar question is . Can you configure the NAT on the PA where it can flip the first octet 11 to 4 and retain the last 3 octets? Thus following the example the destination IP of 11.199.12.12 translates back to 4.199.12.12.?
If so can the behavior be consistent with /16 or /12, etc
-=CB=-
NOTE: I understand that there will be a desire to say there is a limitation of the # of IP connections in a table for PA. I am interested in how it selects the IP in a given NAT pool if it's set where the original packet in a /8 will match up to the destination NAT IP pool
04-20-2018 04:36 AM
Best solution would be proxy (which is not in 4.0.0.0/8), that would solve http, https, ftp... issues
04-21-2018 06:01 AM
Hi @Bhattman
Does company A really have assigned a /8 subnetmask to the servers or is it a little more segmented? And if yes are the networks directly connected to the firewall or is there a router between the dmz networks snd the firewall?
04-27-2018 09:36 AM
The assumption is that the host in the DMZ leverage DNS 100% to be directed to what is required to be access.
04-27-2018 09:43 AM
You have to assume that they are using DNS for the most part and those that need to go without they would re-IP. Which certainly is or managable then RE-IPing the entire environment under an aggressive timeplan.
04-27-2018 09:44 AM
That would be a good option, but in this case they have applications that don't understand how to leverage a proxy.
04-27-2018 05:41 PM
Yes it's too big to create 1-to-1 static NATs. What I am looking for trying to answer the behavior of the PA on how it assigns IP addresses when you configure the palo Alto to NAT from /8 range to another /8 range.
Will it randomly choose within the /8?
Will it choose a middle of the road IP?
Will it choose the last IP of that range?
Or will it try to match it up the original destination packet?
04-29-2018 02:41 AM
I have never configured it with a /8 subnet, but at least with a /24 subnet NAT will match the last octet. So I would assume if it even works with a /8 subnet, the firewall will try to match the original packet.
04-29-2018 07:09 AM
That is certainly promising.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!