01-10-2013 01:09 PM
It is possible to NAT to multiple internal https sites behind a single external IP address? If so any guidance on how to create the NAT policy would be most apprecaited.
01-10-2013 01:22 PM
Hello,
The only NAT configuration which would allow access to two different servers behind the firewall from one public IP address would be to use different destination ports on the external interface.
External IP: 1.1.1.1
1.1.1.1:443 -> Server1:443
1.1.1.1.4443 -> Server2:443
Thanks,
-- Kevin
01-10-2013 01:18 PM
You mean someone from internet access x.x.x.x which your PA device will forward (destination NAT) to 2 or more webservers on DMZ?
Not that im aware of today.
01-10-2013 01:22 PM
Hello,
The only NAT configuration which would allow access to two different servers behind the firewall from one public IP address would be to use different destination ports on the external interface.
External IP: 1.1.1.1
1.1.1.1:443 -> Server1:443
1.1.1.1.4443 -> Server2:443
Thanks,
-- Kevin
01-10-2013 01:26 PM
What about ECMP (Equal Cost Multi-Path routing) - is it supported in PANOS 5.0 yet?
Because then you could do something like:
1) PA will destination NAT incoming traffic for x.x.x.x into y.y.y.y.
2) Then the vrouter will forward traffic towards y.y.y.y with a.a.a.a or b.b.b.b (or how many you might have) as nexthop (roundrobin and do this per session).
3) Setup your webservers (a.a.a.a and b.b.b.b) to also listen to y.y.y.y as some kind of loopback interface.
01-10-2013 01:29 PM
ECMP is not currently supported.
I'm not sure if the original question was more of a load balance scenario or two completely separate sites hosted on different machines. The multiple external port option is the only way to do this today unless you can further filter the NAT policy by source IP.
01-10-2013 01:36 PM
If its the second case (separate sites hosted on different machines) - what about involving PBF?
1) PA will destination NAT incoming traffic for x.x.x.x into y.y.y.y.
2) Then the PBF will if application web-site1 forwarding traffic either on egress interface (like VLAN101) and/or nexthop to a.a.a.a while for application web-site2 forwarding on egress VLAN102 and/or nexthop to b.b.b.b.
3) Setup your webservers (a.a.a.a and b.b.b.b) to also listen to y.y.y.y as some kind of loopback interface.
01-10-2013 01:39 PM
We are dealing with multiple internal https sites. I have implemented different senarios using seperate external ports for different services on different servers (80 for http, 22 for ssh) but in this case I am stuck trying to get multiple servers that are offering the same service (https) but for different applications/sites. Make sense?
01-10-2013 01:45 PM
Yeah, a setup like the one I mentioned in my first post is the only option possible on the firewall today.
External IP: 1.1.1.1
1.1.1.1:443 -> Server1_IP:443
1.1.1.1.4443 -> Server2_IP:443
So if you hit the external IP on port 443 you go to server1, and port 4443 you go to the HTTPS on server2.
01-10-2013 01:54 PM
A workaround would be if you can spare additional ip's for this service.
External IP:
1.1.1.1 -> Server1_IP
1.1.1.2 -> Server2_IP
1.1.1.3 -> Server3_IP
and then use dns roundrobin.
Another workaround would be if your webservers can run something similar to GLBP or such.
So the PA will just do 1.1.1.1 -> DMZ_IP and then the webservers uses GLBP or whatever to make the PA forward the traffic to them - however this will probably break session based logins and such for the clients (unless the session table is stored in the db available for all the webservers).
The proper solution (today) is most likely to get a loadbalancer either something like F5 (and setup up 2 of them as active/passive) or build your own using nginx/apache (mod_proxy/mod_security) along with CARP service (for active/passive between the two boxes) so you end up with:
PA -> LoadBalancer -> Switch -> Webservers
01-10-2013 01:55 PM
Mikand,
Step 2 would be the problem. How would the firewall determine which direction to forward the traffic at that point? The HTTP request which would contain the destination URL would not even be sent by the client until both the 3-way TCP and SSL handshakes were complete. By that point the firewall wouldn't be able to change the forwarding based on the URL without breaking the session. This also assumes SSL decryption is in use, which for inbound decryption both internal servers would have to present the same server certificate.
Maybe a web server cluster with a virtual IP that handles both web sites?
Thanks,
-- Kevin
01-10-2013 02:08 PM
Darn, I was thinking if two (or more) custom app-id's looking for web-browsing + http-host...
So when will PA get support for loadbalancing DNAT or for that matter ECMP? 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
