Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

NAT and OSPF

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT and OSPF

L4 Transporter

Hi

 

I have a PA-3060 (A-A).

 

I have a NAT lests say 

 

1.1.1.1: 443 -> 192.168.10.10:10000

 

now the PA is part of an OSPF network, how to I publish out the address 1.1.1.1

 

I was thinking of adding 1.1.1.1 to a loopback and adding to a virtual router and then adding the interface to OSPF.

 

I read that I need a policy for src address: port -> 192.168.10.10:10000 as the policy happens after the NAT.  But now that I have the ip address on the loopback, I am seeing failed packets on 1.1.1.1 address so do I need both ?

 

Thanks

1 accepted solution

Accepted Solutions

If your question is how to advertise your NAT pool or single address out OSPF I believe we just created OSPF Export Rules and advertised them as ext-1.

 

We've got two virtual routers, one for the inside networks and one for the Internet side.  Each of those does OSPF out to their respective networks (Internet side OSPF just goes to an edge router) and iBGP propogates whatever routes we want between the two.  The export rules that contain our NAT ranges are on the Internet side VR.

 

I asked our proffesional services steam if this was the correct way to implement it and they said that would probably be how they would have done it.  The only thing I don't like with our current setup is that it is advertising ALL of our public IPs this way which means even IPs that aren't being used for NAT have a route from the firewall.  I think a solution would be to just create more specific Export Rules to contain only what we're using for NAT and then have a NULL route for the entire range on our edge router.  That way, any traffic destined for an IP not being used for NAT currently just dies at the edge instead of having to hit the firewall.

View solution in original post

3 REPLIES 3

L4 Transporter

Okay for any one coming to this later.

 

fristly, NAT doesn't happen first !

 

So added ip address to a loopback (on both devices HA A/A)

add interface to OSPF setup 

 

now the bit that wasn't working - you have to set the management port profile ... even though the packets are going to end up else where, its a loop back and you have to allow whats needs, so for me it was http and https..

 

What you would do if it was something else I am not sure !!

 

 

 

Added a static route and added in redistribution of static into ospf

 

 

If your question is how to advertise your NAT pool or single address out OSPF I believe we just created OSPF Export Rules and advertised them as ext-1.

 

We've got two virtual routers, one for the inside networks and one for the Internet side.  Each of those does OSPF out to their respective networks (Internet side OSPF just goes to an edge router) and iBGP propogates whatever routes we want between the two.  The export rules that contain our NAT ranges are on the Internet side VR.

 

I asked our proffesional services steam if this was the correct way to implement it and they said that would probably be how they would have done it.  The only thing I don't like with our current setup is that it is advertising ALL of our public IPs this way which means even IPs that aren't being used for NAT have a route from the firewall.  I think a solution would be to just create more specific Export Rules to contain only what we're using for NAT and then have a NULL route for the entire range on our edge router.  That way, any traffic destined for an IP not being used for NAT currently just dies at the edge instead of having to hit the firewall.

  • 1 accepted solution
  • 3478 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!