D-NAT not working in GCP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

D-NAT not working in GCP

L2 Linker

Hello Everyone,

 

I have deployed PA-VM in GCP. In that we have configured 3 VPCs (MGMT, Untrust & Trust).

 

In the Trust VPC we have created Windows Server 2016, in PA we created D-NAT & Security policy.

 

In GCP, Under Trust VPC Firewall Ingress traffic is allowed & Route is forwarded to PA-VM instance with 500 priority.

 

For Untrust VPC - Firewall Ingress  traffic is allowed & Route is pointing toward default internet gateway.

 

What I am missing here ? 

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
1 accepted solution

Accepted Solutions

it sound Great. 

 

could you generate traffic from your Windows 2016 ? does it ping the PA trust interface ? do you see the traffic in the monitor traffic ? have you overide the intrazone default and teh intezone-default rulese in security policy to log fist packet and last.

if the nat hit coult in nat  or the or security rules count don't increase that mind that there is something not working in the trust vpc config in GCP. 

 

I remember in AWS that you have to disable the change source destination check on the Network interface when you set the ip in static on a network interface. I d'ont remeber if you have to do something like that in GCP. 

View solution in original post

6 REPLIES 6

L2 Linker

have you look to your rooting table ? I assume that your wan and internal interface are in DHCP mode ?

L2 Linker

Hi Fcrofdir,

 

Both interfaces is configured on static.

L2 Linker

does you create on the palo alto in trust vpc a route return to go back to the virtual router of the trust vpc.

do you create a default route in the untrust to send traffic to the gcp virtual router of the untruste VPC.

 

did you capture packet il the logs of the palo when you try to send traffic to internet from your winodws server 2016. on the nat screenshot the hit count is "0" meening that no traffic hiting this rules. or maybe no traffic hitting the firewall VM

L2 Linker

Hi Fcrofdir,

 

I performed the below steps in GCP:-

1. Created 3 VPCs (MGMT, TRUST & UNTRUST).

2. Create ingress/egress Firewall rules on the vpc networks.

3. Modify the default route for the Trust network to use the Palo Alto instance.

4. Created Trust VPC Network route in Untrust VPC to use PA instance.

 

In PA performed below steps:-

1. Assigned Static IP Address Interfaces.

2. Created default route.

3. Created Source NAT & Security Policy for Trust VPC Network.

4. Created DNAT & Security Policy for Windows Server.

 

Kindly let me know which step I missed out.

it sound Great. 

 

could you generate traffic from your Windows 2016 ? does it ping the PA trust interface ? do you see the traffic in the monitor traffic ? have you overide the intrazone default and teh intezone-default rulese in security policy to log fist packet and last.

if the nat hit coult in nat  or the or security rules count don't increase that mind that there is something not working in the trust vpc config in GCP. 

 

I remember in AWS that you have to disable the change source destination check on the Network interface when you set the ip in static on a network interface. I d'ont remeber if you have to do something like that in GCP. 

L2 Linker

Hi Fcrofdir,

 

Thanks for the hint.

 

While troubleshooting we found, it was hitting default intrazone rule which was blocked.

Than we changed in the custom rule and it started working.

  • 1 accepted solution
  • 4025 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!