NAT to multiple https sites

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
tjcarter
L1 Bithead

NAT to multiple https sites

It is possible to NAT to multiple internal https sites behind a single external IP address?  If so any guidance on how to create the NAT policy would be most apprecaited.

Tags (1)

Accepted Solutions
kfindlen
L4 Transporter

Hello,

The only NAT configuration which would allow access to two different servers behind the firewall from one public IP address would be to use different destination ports on the external interface.

External IP: 1.1.1.1

1.1.1.1:443 -> Server1:443

1.1.1.1.4443 -> Server2:443

Thanks,

-- Kevin

View solution in original post


All Replies
mikand
L6 Presenter

You mean someone from internet access x.x.x.x which your PA device will forward (destination NAT) to 2 or more webservers on DMZ?

Not that im aware of today.

kfindlen
L4 Transporter

Hello,

The only NAT configuration which would allow access to two different servers behind the firewall from one public IP address would be to use different destination ports on the external interface.

External IP: 1.1.1.1

1.1.1.1:443 -> Server1:443

1.1.1.1.4443 -> Server2:443

Thanks,

-- Kevin

View solution in original post

mikand
L6 Presenter

What about ECMP (Equal Cost Multi-Path routing) - is it supported in PANOS 5.0 yet?

Because then you could do something like:

1) PA will destination NAT incoming traffic for x.x.x.x into y.y.y.y.

2) Then the vrouter will forward traffic towards y.y.y.y with a.a.a.a or b.b.b.b (or how many you might have) as nexthop (roundrobin and do this per session).

3) Setup your webservers (a.a.a.a and b.b.b.b) to also listen to y.y.y.y as some kind of loopback interface.

kfindlen
L4 Transporter

ECMP is not currently supported.

I'm not sure if the original question was more of a load balance scenario or two completely separate sites hosted on different machines.  The multiple external port option is the only way to do this today unless you can further filter the NAT policy by source IP.

mikand
L6 Presenter

If its the second case (separate sites hosted on different machines) - what about involving PBF?

1) PA will destination NAT incoming traffic for x.x.x.x into y.y.y.y.

2) Then the PBF will if application web-site1 forwarding traffic either on egress interface (like VLAN101) and/or nexthop to a.a.a.a while for application web-site2 forwarding on egress VLAN102 and/or nexthop to b.b.b.b.

3) Setup your webservers (a.a.a.a and b.b.b.b) to also listen to y.y.y.y as some kind of loopback interface.

tjcarter
L1 Bithead

We are dealing with multiple internal https sites.  I have implemented different senarios using seperate external ports for different services on different servers (80 for http, 22 for ssh) but in this case I am stuck trying to get multiple servers that are offering the same service (https) but for different applications/sites.  Make sense?

kfindlen
L4 Transporter

Yeah, a setup like the one I mentioned in my first post is the only option possible on the firewall today.

External IP: 1.1.1.1

1.1.1.1:443 -> Server1_IP:443

1.1.1.1.4443 -> Server2_IP:443

So if you hit the external IP on port 443 you go to server1, and port 4443 you go to the HTTPS on server2.

mikand
L6 Presenter

A workaround would be if you can spare additional ip's for this service.

External IP:

1.1.1.1 -> Server1_IP

1.1.1.2 -> Server2_IP

1.1.1.3 -> Server3_IP

and then use dns roundrobin.

Another workaround would be if your webservers can run something similar to GLBP or such.

So the PA will just do 1.1.1.1 -> DMZ_IP and then the webservers uses GLBP or whatever to make the PA forward the traffic to them - however this will probably break session based logins and such for the clients (unless the session table is stored in the db available for all the webservers).

The proper solution (today) is most likely to get a loadbalancer either something like F5 (and setup up 2 of them as active/passive) or build your own using nginx/apache (mod_proxy/mod_security) along with CARP service (for active/passive between the two boxes) so you end up with:

PA -> LoadBalancer -> Switch -> Webservers

kfindlen
L4 Transporter

Mikand,

Step 2 would be the problem.  How would the firewall determine which direction to forward the traffic at that point?  The HTTP request which would contain the destination URL would not even be sent by the client until both the 3-way TCP and SSL handshakes were complete.  By that point the firewall wouldn't be able to change the forwarding based on the URL without breaking the session.  This also assumes SSL decryption is in use, which for inbound decryption both internal servers would have to present the same server certificate.

Maybe a web server cluster with a virtual IP that handles both web sites?

Thanks,

-- Kevin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!