This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Setting-up Palo Alto Firewall without NAT Policy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Setting-up Palo Alto Firewall without NAT Policy

Go to solution
hibagus
L2 Linker

‎10-15-2017 04:36 AM

Dear all,

 

I am a newbie and currently at the first phase to learn Palo Alto Firewall. I am setting-up a simple virtual network topology using VMWare Workstation as follows.

Drawing1.png

 

 

As you can see from the diagram, there are two zones which are labeled as Trust and Untrust with network 192.168.250.0/24 and 192.168.150.0/24 respectively. The ETH1/1 is facing to the Trust Zone and has IP address 192.168.250.10 where the ETH1/2 is facing to the Untrust Zone and has IP address 192.168.150.10.

 

My first approach for basic configuration is as follows.

1. Configure the Management Interface on 192.168.100.10. I can access it both from web browser and from SSH on Management PC.

2. Configure ETH1/1 and ETH1/2 IP address

3. Create Zone labeled as Trust and Untrust then assign them to ETH1/1 and ETH1/2 respectively.

4. Create Virtual Router named Default for ETH1/1 and ETH1/2 and set a static route as follows

- Name: Default

- Destination: 0.0.0.0/0

- Interface: None

- Next Hop: IP Address 192.168.150.2

- Metric: 10

- Route Table: Unicast

5. Add new Security Policies as follows

- Name: Internet Access

- Type: Universal

- Source: Zone Trust, Address Any, User Any, HIP Profile Any

- Destination: Zone Untrust, Address Any

- Application: Any

- Service: Any

- Action: Allow

- Profile: None

6. Add new NAT Policies as follows

- Name: Default

- Source: Zone Trust, Address Any, Service Any

- Destination: Zone Untrust, Address Any, Service Any

- Source Translation: Dynamic IP and Port, Interface ETH1/2, IP 192.168.150.10/24

- Destination Translation: None

 

With this configuration, the Trust PC can access internet. Moreover, using the CLI on the PA-VM, I can ping 8.8.8.8 from both side.

ping source 192.168.150.10 host 8.8.8.8

ping source 192.168.250.10 host 8.8.8.8

 

My question is, can I achieve the same without using NAT? I just want to configure the firewall without NAT so that I can demonstrate the access policy between the Untrust PC to access some resource in Trust PC. When I disable the NAT policy, I cannot ping the 8.8.8.8 from 192.168.250.10 side but I can ping the 8.8.8.8 from 192.168.150.10 side.

 

Any help would be highly appreciated

Thank you.

 

Sincerely,

Bagus.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
mgarg
L3 Networker

‎10-15-2017 12:45 PM - edited ‎10-17-2017 05:43 PM

the reason why you are not able to get to internet, once you disable the nat policy , is because your modem does not know how to reach 192.168.250.0/24 network for the return packet and hence it would drop it.

 

Add route on your modem to route traffic for 192.168.250.0/24 to 192.168.150.10

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
mgarg
L3 Networker

‎10-15-2017 12:45 PM - edited ‎10-17-2017 05:43 PM

the reason why you are not able to get to internet, once you disable the nat policy , is because your modem does not know how to reach 192.168.250.0/24 network for the return packet and hence it would drop it.

 

Add route on your modem to route traffic for 192.168.250.0/24 to 192.168.150.10

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator

‎10-15-2017 01:27 PM

Add a static route to your modem.

 

192.168.250.0/24. Via 192.168.150.10

0 Likes Likes

Go to solution
hibagus
L2 Linker
In response to mgarg

‎10-17-2017 06:46 PM

Hi mgarg, Thank you for reply.

 

Since the router is a virtual router NAT in VMWare Workstation, I am currently unable to find the solution to add the static routing. Therefore, I should implement the virtual router myself (e.g. using Ubuntu VM). By the way, your solution works as expected!

 

Thank you.

 

 

0 Likes Likes
  • 1 accepted solution
  • 2537 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks