Menu Categories Author

Nubis Novem

Consulting On Cloud Nine

Handling multiple external IP addresses with Palo Alto PA-3020

“One, two, three, four
Can I have a little more?”
“All Together Now”, from The Beatles album “Yellow Submarine” (1969)

Another showcase with Palo Alto PA-3020 firewall hardware device by Palo Alto Networks running PAN OS 6.0 (PA-3000 series). This time we would like to discuss a use of multiple IP addresses on the external interface. Say, you are running into a situation where more than one HTTPS web services should be offered to the public, but they are based on separate hardware resources internally. The simple solution would be to use another IP address for incoming connection on TCP port 443 and create another NAT policy rule for that additional address.

Task

Handling an additional IP address on PA-3000 series firewall is fairly easy. In fact, if you have already configured your untrust network (or external interface) with a network IP range that your Internet provider allocated for our use, that additional IP is most probably ready to be used. Let us look at an example:

Port Ethernet 1/1 Layer3 in untrust zone is configured with IP address range: 192.0.2.38/29

That defines usable host address range as 192.0.2.33 – 192.0.2.38 (with network address 192.0.2.32, broadcast 192.0.2.39). If we had 192.0.2.38 as our “main” IP address for both incoming and outgoing NAT communication with the Internet, it is time to use one of the additional IP addresses, for instance 192.0.2.36, as an alternative.

Say, we already had a NAT rule and security policy that allowed 192.0.2.38 port 443 connections to be directed to internal network IP 192.168.233.20 (part of trust zone on internal interface) for server #1, and we have another server #2 with internal network IP address 192.168.233.22 that we should allow to handle HTTPS with TCP port 443 connections via alternative IP.

Implementation

HTTPS service defined as follows:


Name: HTTPS
Protocol: TCP
Destination port: 443
Source port: 1-65535

NAT rule for server #1 defined as follows:

Name: Incoming HTTPS s1
Tags: https
Source zone: untrust
Destination zone: untrust
Destination interface: any
Source address: any
Destination address: 192.0.2.38
Service: HTTPS
Source translation: none
Destination translation: address: 192.168.233.20, port 443

Security policy for server #1 looked like:

Name: Incoming HTTPS s1
Tags: https
Source Zone: untrust
Source Address: any
Destination Zone: trust
Destination Address: 192.0.2.38
Service: HTTPS
Action: allow

In order to configure new incoming port 443 setup via alternative IP, following was defined:

NAT rule for server #2defined as follows:

Name: Incoming HTTPS s2
Tags: https
Source zone: untrust
Destination zone: untrust
Destination interface: any
Source address: any
Destination address: 192.0.2.36
Service: HTTPS
Source translation: none
Destination translation: address: 192.168.233.22, port 443

Security policy for server #2 looked like:

Name: Incoming HTTPS s2
Tags: https
Source Zone: untrust
Source Address: any
Destination Zone: trust
Destination Address: 192.0.2.38
Service: HTTPS
Action: allow

So, in order to route alternative IP all you need to do is just configure NAT rule and destination packet details with that IP address. The rest, including proper ARP request handling, would be done by the firewall itself.

Additional notes

For outgoing NAT to use an alternative IP address for certain internal client, you would simply use Source Address Translation definition in the NAT rule, instead of the Destination Address Translation.

References

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-IP-Addresses-on-an-Interface/ta-p/66833

Leave a Reply

Your email address will not be published. Required fields are marked *