Topology
Initial Config (No NATGW)
- SNAT is done on the firewall interface
- Firewall eth1/1 private and public IPs:
Testing:
(for testing I’m using curl from the internal VM towards another VM running in a different cloud provider running NGIX)
- Firewall PIP interface is used
NATGW
Once a NATGW is attached to the firewall eth1/1 interface subnet, the NATGW takes precedence:
Testing:
PIP can disassociate for egress only case
Adding Multiple Private IPs
- we can add multiple IPs to the external interface (with/without public ips):
- PAN NAT configuration requires no change as from their documentation:
The advantage of specifying the interface in the NAT rule is that the NAT rule will be automatically updated to use any address subsequently acquired by the interface. DIPP is sometimes referred to as interface-based NAT or network address port translation (NAPT).
