Source and Destination NAT using 2 different NAT rules

Reply
Highlighted
L1 Bithead

Source and Destination NAT using 2 different NAT rules

Hello everybody,

 

We are trying to replace our Lan-to-Lan concentrator (currently a Cisco ASA) with a PAN-5220 version 8.1.

 

On the Cisco ASA firewall, we are currently doing source and destination NAT for each incoming connection.

 

We change the  source IP address because our partners use many different private subnets that we can't route or that we also use.

And we also change the destination IP address, for the same reason. We change our internal private IP address to some public IP addresses that our partners can easily route to us.

 

On Cisco Asa we configure NAT rules based on objects. The source NAT is configured for each partner's subnet and the destination NAT is configured for each of our servers. Both NAT are then applied when the connection is made.

 

 

Now with Palo Alto...

 

As only one NAT rule applies, and we want to make source and destination NAT, we are supposed to configure a different NAT rule for each possible connection...

As we have ~ 30 partners and ~ 200 servers, this can lead to an endless NAT ruleset, assuming that each partner could reach each server (this is not the case but let's assume...).

 

Do you have an idea how we can work around that ?

 

We would like to manage the Source NAT rules on a side and the Destination NAT rules on the other, and have them combined when traffic passes through the Firewall. This means that packets have to pass twice through the NAT ruleset and that's what we are unable to do properly...

 

The only way we found is to send the packets out of the firewall after the first NAT and then an external router sends the packets back to the firewall in order to match the second NAT rule. We also imagined to use an external cable between 2 interfaces of the PAN firewall, each interface being in a different zone and VR, and use this link as an external loop.

 

Any other solution that would be more "elegant" ?

 

Thanks in advance for your suggestion.

 

Best Regards,

 

Christophe

 

 

 

 

Highlighted
Cyber Elite

@Christophe_Savoy,

That's a bit of an interesting situation. I'm not coming up with a way that you can elegantly configure this on a PAN with what you are trying to achieve without having multiple NAT entries. Really the advice that I would give you is to come up with proper tags and make appropriate use of the group-tag so that it's easy to filter everything by client. While it doesn't fix your problem, it'll make working on the rulebase easier.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!