I tried to setup the nat, I can see my NAT and Security rule are being hit, but traffic is not flowing
Interface Swap (tested this with no swap too, and it didn;t work)
All of the 3 interfaces disabled src destination
all of them same sg, 0.0.0.0./0
eth0 and eth1 are on the same subnet (public) with a route 0.0.0.0/0 to igw
eth0 and eth1 both have a elastic ip attached
eth2 is on the private subnet, route 0.0.0.0/0 points to eth2
Server is on the same subnet as eth2
DHCP seems to pick up the proper IPs (internal ips)
My nat rule
Source: Trust -> Untrust
Source Translation: dynamic ip and port <<PRIVATE IP ADDRESS of eth1>>
Hit count: over 2000+
For my security rule
Universal, any, any, any .. any, allow. Hit count 3000+
Monitor shows "aged out", allowed, so it the traffic flows one way, but it doesn't come back!
Attached is a screenshot, the internal machine (172.31.73.88 pings google 18.104.22.168
172.31.38.193 is my eth1 "untrust"
Thanks in advance
Here's a request to google port 80
Solved! Go to Solution.
I made those changes
The nat is working if the trust ENI is on the same subnet than the server I'm trying to nat.
is there any way I can point other route tables to this ENI? I made the change but they can't connect to internet.
Excellent, that is a step in the right direction. Create a static route on the firewall VR to send all of the VPC subnets that are behind the firewall out of the Eth1/2 interface to the first IP in the firewall's Trust Subnet. AWS will then route it to the Server subnet.
I assume the Server subnet has a 0/0 route point to the Trust side of the firewall?
This is how my network looks like
Palo in Public
A same subnet that the trust interface, works fine
B diff subnet, same vpc, same Route Table, pointing to that ENI
For the route you mention, Unfortunately... I don't know how.. this is above the knowledge I have for this POC
This is why I tried
172.31.0.0/16 is my VPC CIDR
172.31.38.193 is the private IP of the "non trust interface"
what I learning experience!
My original routes
Then I added the VPC CIDR pointing to the "gateway of the trust interface" (Trust = 172.31.123.37)
Thanks for all your help, just documenting here if someone is on the same spot
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!