“One, two, three, four
Can I have a little more?”
“All Together Now”, from The Beatles album “Yellow Submarine” (1969)
Another showcase with Palo Alto PA-3020 firewall hardware device by Palo Alto Networks running PAN OS 6.0 (PA-3000 series). This time we would like to discuss a use of multiple IP addresses on the external interface. Say, you are running into a situation where more than one HTTPS web services should be offered to the public, but they are based on separate hardware resources internally. The simple solution would be to use another IP address for incoming connection on TCP port 443 and create another NAT policy rule for that additional address.
Handling an additional IP address on PA-3000 series firewall is fairly easy. In fact, if you have already configured your untrust network (or external interface) with a network IP range that your Internet provider allocated for our use, that additional IP is most probably ready to be used. Let us look at an example:
Port Ethernet 1/1 Layer3 in untrust zone is configured with IP address range: 192.0.2.38/29
That defines usable host address range as 192.0.2.33 – 192.0.2.38 (with network address 192.0.2.32, broadcast 192.0.2.39). If we had 192.0.2.38 as our “main” IP address for both incoming and outgoing NAT communication with the Internet, it is time to use one of the additional IP addresses, for instance 192.0.2.36, as an alternative.
Say, we already had a NAT rule and security policy that allowed 192.0.2.38 port 443 connections to be directed to internal network IP 192.168.233.20 (part of trust zone on internal interface) for server #1, and we have another server #2 with internal network IP address 192.168.233.22 that we should allow to handle HTTPS with TCP port 443 connections via alternative IP.
HTTPS service defined as follows:
Name: HTTPS Protocol: TCP Destination port: 443 Source port: 1-65535
NAT rule for server #1 defined as follows:
Name: Incoming HTTPS s1 Tags: https Source zone: untrust Destination zone: untrust Destination interface: any Source address: any Destination address: 192.0.2.38 Service: HTTPS Source translation: none Destination translation: address: 192.168.233.20, port 443
Security policy for server #1 looked like:
Name: Incoming HTTPS s1 Tags: https Source Zone: untrust Source Address: any Destination Zone: trust Destination Address: 192.0.2.38 Service: HTTPS Action: allow
In order to configure new incoming port 443 setup via alternative IP, following was defined:
NAT rule for server #2defined as follows:
Name: Incoming HTTPS s2 Tags: https Source zone: untrust Destination zone: untrust Destination interface: any Source address: any Destination address: 192.0.2.36 Service: HTTPS Source translation: none Destination translation: address: 192.168.233.22, port 443
Security policy for server #2 looked like:
Name: Incoming HTTPS s2 Tags: https Source Zone: untrust Source Address: any Destination Zone: trust Destination Address: 192.0.2.38 Service: HTTPS Action: allow
So, in order to route alternative IP all you need to do is just configure NAT rule and destination packet details with that IP address. The rest, including proper ARP request handling, would be done by the firewall itself.
For outgoing NAT to use an alternative IP address for certain internal client, you would simply use Source Address Translation definition in the NAT rule, instead of the Destination Address Translation.