We currently have our PAN configured with a simple 2 NIC L3 setup, the internal NIC is on a private IP, the external NIC is on a public IP on a /24.
We have a bunch of public facing websites that are currently outside of the PAN on a server that is connected to the same switch as the external NIC of the PAN, so each website/service on that server has its own public IP on the same /24 as the PANs default external NIC.
Given that the PAN can do a bunch of smart stuff it seems to me it makes sense to look at moving those websites into a DMZ/dedicated interface on the PAN and presumably using NAT.
What I'm unclear on is:
a) Is NAT the best approach i.e. change the IP's on each website to private IPs?
b) Can the PAN deal with having two interfaces each using addresses that are on the same subnet?
Hopefully the above makes sense, I guess I'd appreciate some clarification on how to best go about this.
We have a fresh/valid support contract if necessary, but I figured I'd sound out the options here first.
Thanks in advance.
I guess what you could do if you want to avoid nat for the servers is to setup an interface pair of virtual wire.
int1: L3 outside (internet ip's /24)
int2: L3 inside (private ip's, nated to outside ip's)
And then get another switch for the outside so it will become
switch <- two cables -> PAN <-> one cable to the private ip switch, one cable to the switch for the servers
The downside is that this looks a bit "complex", the upside is that if you dont like PAN in front of the servers its easy to just move them like you have it today - no need to change ip addresses, gateways, routing etc...
I don't think I have an issue with using NAT, obviously it will take a little time to bind private IPs and change IIS/services to use different IP's but when it's done it's done.
I'm more interested in doing it the right/best way - NAT shouldn't be an issue as these are just web/ftp/dns services.
What I wasn't sure of was if I have:
int1 LAN, private IP
int2 External default route, public IP of x.x.x.1/24
int3 New interface, webserver connected with private IPs on webserver
How do I go about getting the PAN to proxy the public IPs of those sites and do all the NAT'ing?
I think where I'm getting confused is over whether int3 is actually listening on the public IPs or whether int2 would be doing that as the public IPs of the websites are on the same /24.
Why not split your /24 into two /25's? This way it would look something like this:
This way you just use normal routing for your DMZ hosts and don't need to do NAT. Your ISP doesn't care how you subnet your networks once they get to your site.
Depending on the IP's you are using today, you may not have to re-IP at all. You can further split out the external subnet so it is as low as a /30.
The example I gave above is very simple, but here is a more creative way:
external: 22.214.171.124/30 (use addresses .1 and .2 for the transit link)
dmz: 126.96.36.199/24 (you can use any address within the range of .5 - .254 for servers and the interface)
The reason this works is because standard IP routing will always use the more specific route in the routing table, so it's possible to overlap your subnets like this. I tried configuring this on a PAN box and the config passed validation, though I have not tried committing it. I believe it will work. If not, then you could further break down the subnets until you get what you need.
You can get more creative with the subnetting, too, for example if the ISP's next hop is .254 instead of .1 or .2. then do the same thing - just put two small subnets on the external address (.0/30 and .252/30) and leave the /24 on the dmz.
There's nothing wrong with configuring NAT in this situation, but you may not need to do that to accomplish your goal.
Drat, I tried committing with overlapping subnets and it failed. I think this will be addressed in a future release, but in the mean time it looks like you have to actually configure multiple smaller, non-overlapping subnets on the interfaces to do this. Still possible, but not as ideal depending on your IP addressing.
As far as the NAT is concerned, you would just have an inbound rule that looks like this:
dst-ip: (public-ip of server)
dst-xlate: (internal-ip of server on dmz)
Your security policy would look like this:
dst-ip: (public-ip of server) you can re-use the object you used for the NAT policy here
Thinking about it I don't need to subnet down do I...
We already NAT a couple of those public IPs through our external interface i.e. Outlook Web Access to our Exchange server on our internal LAN.
So I could allocate an interface on the PAN to 192.168.1.x/24, put it in a zone called "DMZ", put my webservers on it, and add the zone to my default virtual router.
Then I simply create NAT and Security policy rules (including a NAT/security policy for the DMZ server to access internet and other resources as required i.e. to pass SMTP to our Exchange server).
I get it now I think, seems every firewall has its own set of terminology
Another option would be to setup a /30 net (private ips) between the PAN and the isp and then let the isp route all /24 to the private ip of the PAN.
In the PAN you will then setup DNAT and/or SNAT rules regarding if its incoming or outgoing traffic you want to let through.
Would look something like:
PAN def gw: 10.0.0.1
ISP route: x.x.x.x/24 next hop 10.0.0.2
DNAT x.x.x.101 (server1) -> 192.168.1.101 (traffic towards x.x.x.101 will be destination nated and sent to 192.168.1.101 on the dmz zone)
SNAT 192.168.0.0/24 -> x.x.x.200 (traffic from client zone will be source nated into x.x.x.200 (all clients will be hidden behind one ip))
or whatever your network will look like...
This way you will have a single (and a straight forward design) connection to the isp and at the same time having your internal zones (dmz + client) to use private ips (the PAN will perform the nating) while the public ips wont change.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!