AWS NAT not coming back

nronica · ‎11-13-2019

Hello,

I tried to setup the nat, I can see my NAT and Security rule are being hit, but traffic is not flowing

Bundle 1

Interface Swap (tested this with no swap too, and it didn;t work)

All of the 3 interfaces disabled src destination

all of them same sg, 0.0.0.0./0

eth0 and eth1 are on the same subnet (public) with a route 0.0.0.0/0 to igw

eth0 and eth1 both have a elastic ip attached

eth2 is on the private subnet, route 0.0.0.0/0 points to eth2

Server is on the same subnet as eth2

DHCP seems to pick up the proper IPs (internal ips)

My nat rule

Source: Trust -> Untrust
Destination ethernet1.1

source: any

destination: any

service any

Source Translation: dynamic ip and port <<PRIVATE IP ADDRESS of eth1>>

Hit count: over 2000+

For my security rule

Universal, any, any, any .. any, allow. Hit count 3000+

Monitor shows "aged out", allowed, so it the traffic flows one way, but it doesn't come back!

Attached is a screenshot, the internal machine (172.31.73.88 pings google 172.217.4.99

172.31.38.193 is my eth1 "untrust"

Thanks in advance

Here's a request to google port 80

nat rule

jmeurer · ‎11-14-2019

Rather than specifying your Trust side IP of the firewall as the next hop in that route. Set the next-hop IP to the first IP of the Trust subnet which is the AWS router IP.

ie. if the Trust subnet is /24, set the next-hop to 172.31.38.1

View solution in original post

jmeurer · ‎11-14-2019

2 Thoughts.

Check your default route in the VR. Ideally, you should use DHCP on both interfaces in the firewall and ensure to Uncheck "Automatically create default route..." on the Trust side Interface so that you only inherit the default route on E1/1.
Change the Source Translation in your NAT rule to:
- Translation Type: DIPP
- Address Type: Interface Address
- Interface: ethernet 1/1
- IP Address: None

nronica · ‎11-14-2019

Thanks

I made those changes

The nat is working if the trust ENI is on the same subnet than the server I'm trying to nat.

is there any way I can point other route tables to this ENI? I made the change but they can't connect to internet.

Thank you

jmeurer · ‎11-14-2019

Excellent, that is a step in the right direction. Create a static route on the firewall VR to send all of the VPC subnets that are behind the firewall out of the Eth1/2 interface to the first IP in the firewall's Trust Subnet. AWS will then route it to the Server subnet.

I assume the Server subnet has a 0/0 route point to the Trust side of the firewall?

nronica · ‎11-14-2019

Thanks

This is how my network looks like

Palo in Public
A same subnet that the trust interface, works fine

B diff subnet, same vpc, same Route Table, pointing to that ENI

For the route you mention, Unfortunately... I don't know how.. this is above the knowledge I have for this POC

This is why I tried

172.31.0.0/16 is my VPC CIDR

172.31.38.193 is the private IP of the "non trust interface"

jmeurer · ‎11-14-2019

Rather than specifying your Trust side IP of the firewall as the next hop in that route. Set the next-hop IP to the first IP of the Trust subnet which is the AWS router IP.

ie. if the Trust subnet is /24, set the next-hop to 172.31.38.1