This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

using NAT to "change subnets"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

using NAT to "change subnets"

mnaylor
L1 Bithead

‎02-24-2022 12:10 PM

Hello community,

 

I have what I think is an odd use case for NAT but am curious if it would work.

We are readdressing our campus and have a series of vending devices with no way to change the static IPs. All of those devices need to "move" to another subnet.

All of our on-campus routing takes place within our core switches, with no way to do NAT there. Our PA is simply the GW of last resort out to the Internet.

Would it be possible to route traffic destined for this vending subnet to the PA and use NAT to mask the device IPs?

Let me know if I'm unclear...not quite sure if what I'm trying to describe is possible.

0 Likes Likes
9 REPLIES 9

mnaylor
L1 Bithead
In response to Adrian_Jensen

‎02-28-2022 05:25 AM

@Adrian_Jensen

We are running HPE 5406 at the core, which do not support VRF.

0 Likes Likes

Adrian_Jensen
L5 Sessionator

‎02-28-2022 08:00 AM - edited ‎02-28-2022 08:00 AM

I don't know HPEs at all, but this says you implement VRFs as "vpn-instance" on HPE:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c03529403

 

A VRF is Cisco terminology is just a separate L3 routing table shared among specific ports. You can do the same on the PA itself by creating a new routing table and linking interfaces (physical or VLAN) to it:

Network -> Virtual Routers

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-28-2022 08:04 AM

Hi @mnaylor ,

 

How far are the VMs from the vending devices?  Can they be put on the same VLAN?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

mnaylor
L1 Bithead
In response to TomYoung

‎02-28-2022 12:58 PM

They could be put on the same VLAN by changing the addresses of the server, but keep in mind I have no way to program the vending devices. So, as far as the devices are concerned, nothing can "change". They have to talk to the servers via the current server IPs and I have no way to change the device IPs.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-28-2022 01:12 PM

Hi @mnaylor ,

 

You could add a secondary NIC to one of the VMs in the vending device subnet.  You can configure that VM to route.  You can add a route on the other VMs to point to the multi-homed VM.  Only a handful of VMs will have the route in your network.

 

If you don't want to go that route (pun intended), I recommend you keep the vending network connected to your internal network.  From what I understand, it seems unlikely that you will sell the public IP prefix and internal users will need it before you decommission the vending machines.

 

The PANW definitely can provide a solution via NAT, but adding complexity to the design comes with its own problems.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks