PBR/PBF to DMZ then Internet

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PBR/PBF to DMZ then Internet

L1 Bithead

Greetings!

As title suggests, I'm trying to implement PBF to the specific destination network in Internet through a server residing in DMZ. There are three zones configured:

 

  • Inside 10.0.5.0/24 - from where traffic is initiated 
  • DMZ 10.0.22.0/24 - where intercepting server is connected. Plain Linux with net.ipv4.ip_forward = 1
  • Outside 2.2.2.2/30 - facing Internet with single connection (upstream BGP router in this case)
  • Interesting destination network 203.0.113.0/24

PBF rule matches source and destination IP networks (10.0.5.0/24 => 203.0.113.0/24) and works as intended. In traffic log I can see my requests being rerouted from Inside to DMZ and tcpdump on server surely shows connections from 10.0.5.0/24 network.

 

The problem occurs when server itself tries to reach to the actual destination network. Either NAT is not happening during forwarding or something else is discarding traffic in firewall. I can see retransmissions happening before the session is dropped.

 

Tried srcnat with unused IP from my BGP pool (routed from upstream to firewall which works in normal routing flow between zones) in both INSIDE to DMZ or DMZ to OUTSIDE flows. From Inside to DMZ flow it happens and I can see my internal network already NATted to public IP in server's tcpdump, but connection still fails.

 

From what I understand, in this scenario firewall sees traffic from 10.0.5.0/24 but sourced from DMZ zone. Could there be something like uRPF mechanism kicking in? There are no errors in traffic log either.

Pushing zeros and ones.
1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @igobejishvili ,

The main problem is that your Linux host in the DMZ is just forwarding the received packet. There are actually couple of reason this willl not work:

- As you correctly assume uRPF or anti-spoofing protection will drop the traffic when it sees that packet is ingresing on DMZ interface, while the source address is from the Inside zone.

- Return traffic will not be forwarded to DMZ, instead directly to Inside, which will cause the return traffic to have different egress interface and probably not match the session in the firewall session table.

 

You need to use source NAT on the Linux host, which will translate the original source IP of the host in the Inside zone, either to the Linux host DMZ IP, or any other available IP address in the DMZ network.

 

After that you will need proper NAT to translate that address to public one and also security rule for allowing the private IP in the DMZ network ( source zone DMZ) to internet.

 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @igobejishvili ,

The main problem is that your Linux host in the DMZ is just forwarding the received packet. There are actually couple of reason this willl not work:

- As you correctly assume uRPF or anti-spoofing protection will drop the traffic when it sees that packet is ingresing on DMZ interface, while the source address is from the Inside zone.

- Return traffic will not be forwarded to DMZ, instead directly to Inside, which will cause the return traffic to have different egress interface and probably not match the session in the firewall session table.

 

You need to use source NAT on the Linux host, which will translate the original source IP of the host in the Inside zone, either to the Linux host DMZ IP, or any other available IP address in the DMZ network.

 

After that you will need proper NAT to translate that address to public one and also security rule for allowing the private IP in the DMZ network ( source zone DMZ) to internet.

 

L1 Bithead

Thank you for the reply. That's exactly what I've ended up doing. MASQUERADE on the Linux server with its own IP for specific source networks (ingress via PBF) and then srcnat of that DMZ IP to Outside on PA. I can observe two sessions per flow, one to the server and another corresponding flow from the server.

Pushing zeros and ones.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!