Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

NAT configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT configuration

L3 Networker

Hello

 

I would like to have your support to help me for NAT configuration for both scenario

 

Scenario1

Our customer request to create an IPsec tunnel between us (mycompany) and Customer. Our users need to reach Web server hosted on Customer site via the VPN IPsec. I want to hide our real IP of user with a dedicated NAT IP or NAT address and I want to NAT the 2 remote webservers IP given by customer with a 2 IP on a dedicated NAT IP to avoid to publish internaly their real IP and avoid clash IP between them and us. How I can configure our Palo Alto to for that ?

 

Scenario2

It's the same than scenario 1 but I communicate to user the real 2 Web servers IP and just configure NAT to hide our real IP with a dedicated NAT network. In this case, the IP how request the Webserver is not the real IP of user but a NAT IP. How I can configure ?

 

BR 

 

  

4 REPLIES 4

L2 Linker

Hello!

 

The best option to avoid a subnet overlapping is:

 

  • Create a Source NAT Rule to source users from the dedicated IP you want to allow to the Web Server. (Here you solve the issue of advertising user subnets and just need to advertise the dedicated IP.
  • Create a Destination NAT to match traffic going to a internal IP (known by users via IP or FQDN) to be translated to the customer real WebServer IP. Here the Palo needs to know how to reach the real web server IP or the dedicated IP customer, meaning customer has to announce the IP. If customer announces the real IP and you don't want to mix this prefix/IP with the rest of your environment, you can add a virtual router just to handle the customer prefixes in a separate routing table without causing conflicts on your internal network.

I hope this information helps!

 

Johnny Fernandez

 

PCNSE | CCNP | JNCIP

Senior Network Security Engineer
PCNSE | CCNP | JNCIP

Hello

Thank you for your answer. My customer sent me the IP of the 2 webserver : 192.168.10.10 & 192.168.10.11. My users are connected on our internal network 10.30.22.10/24

 

Based on your recommandation to create NAT source and Destination NAT, can y dedicated and use the same NAT subnet for both NAT (NAT subnet : 10.100.10.0/28) and use 10.100.10.1 as the nat IP of webserver1 (192.168.10.10), 10.100.10.2 as NAT IP for webserver2 (192.168.10.11) and configure 10.100.10.0/28 as the NAT source to hide our real IP ? Or I need to define 2 seperate networks : 1 for NAT source and 1 for NAT destination ?

BR

Hello

 

Regarding your post, I need to create 2 rules : One rule for NAT source and One rule for NAT destination or is-it possible to create the NAT and Destination NAT in the same NAT rule ?

 

BR

Correct, this kind of rules are known as 'double NAT' since we translate source and destination'  in a single step,

Since customer has a couple servers I advise you to create separate rules to allow scalability and availability and avoid interruptions in case customer needs to remove one of those hosts

Senior Network Security Engineer
PCNSE | CCNP | JNCIP
  • 858 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!