Source NAT subnet from wrong interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Source NAT subnet from wrong interface

L1 Bithead

Hi, So im having difficult with a source nat to Internet.. My goal is to route traffic between two vlans in my cisco 2960x switch and let palo handle the rest.. The problem is that the source net arrives to the palo on the wrong interface (well its expected..)

i have zone already configuerd in the palo fw with zones, interface. Ive created a access rule from zone1, with source net 10.20.31.0 and i see in the log that the traffic allows from zone1 with source net 10.20.31.0.. But the NAT rule i cant get to work.. need help 🙂

 

palo

zone1: 10.20.30.0

zone2: 10.20.31.0

 

2960x

vlan1: 10.20.30.0

vlan2:10.20.31.0

vlan1-2 routes in cisco 2960x

default route to 10.20.30.2 (palo)

1 accepted solution

Accepted Solutions

L7 Applicator

If you have no need to control traffic between the zone 1 and zone 2, I see no reason to create the two interfaces and zones on the PA.

 

From what you describe I assume that the single default route of your switch along with local routing is having all the traffic from both subnets arrrive on the PA via your "zone 1" interface.

 

You can simply treat both subnets as the same zone and have a route on the PA that pushes the second subnet out the existing "zone 1" interface and delete the zone 2 interface entirely.

 

Any special treatment of the two subnets could be handled by security policies based simply on the subnet in the same zone just as easily for the external internet access.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Can you provide some more details,. like for example what you mean with 'wrong interface' as this is not clear from your explanation

 

Did you create 2 subinterfaces, each with their own zone/vlan tag?

If you want to route between the 2 vlans adn perform NAT it's probably better to have the firewall perform routing while also taking care of NAT

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

If you have no need to control traffic between the zone 1 and zone 2, I see no reason to create the two interfaces and zones on the PA.

 

From what you describe I assume that the single default route of your switch along with local routing is having all the traffic from both subnets arrrive on the PA via your "zone 1" interface.

 

You can simply treat both subnets as the same zone and have a route on the PA that pushes the second subnet out the existing "zone 1" interface and delete the zone 2 interface entirely.

 

Any special treatment of the two subnets could be handled by security policies based simply on the subnet in the same zone just as easily for the external internet access.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

palo config (updated)

zone1: 10.20.30.0 subinterface attached with own zone, vlan tag

zone2: 10.20.31.0 subinterface attached with own zone, vlan tag

 

what i mean with wrong interface is that 10.20.31.0 client traffic hits the "zone1" zone (zone1, source address 10.20.31.0) in the fw because the default route in the switch is 10.20.30.4.. i want the switch to handle routing to have high Throughput. So im struggeling with the NAT.

 

How should a nat be created for this?

Is it possible to do this, with diffrent zones ? 

Or do i need to put both subnet in one zone? (this works, but then i need to change all access rules to check source network 10.20.31 or 10.20.30 to control the traffic.)

Is this good solution? 🙂

thanks for the input puklukas, i belive it is better to treat both subnets as the same zone after some testing today. if i trust the traffic in the switch i can trust it in PA and set security rules on the source address. I will test some more.. But for the NAT is it even possible for the PA to handle this? (If a seperate the two subnets to diffrent zones)

You pretty much have to have these two interfaces in the same zone.  As you note, there is only one default route on the switch so all the traffic out will use that interface to the PA regardless of which subnet the computers are in.

 

You can then create two nat rules if you want the two subnets to nat to different addresses and that can easily be in the same zone.

 

I guess I am not understanding which configuration you are having problems making specific that cannot be done with the two subnets and interfaces in the same zone.  Can you post an example?

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 3618 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!