Using NATGW for Centralized Internet Outbound

Archive: Australia Fire Scars (NASA, International Space Station, 10/07/02)
Archive: Australia Fire Scars (NASA, International Space Station, 10/07/02) by NASA’s Marshall Space Flight Center is licensed under CC-BY-NC 2.0

Topology

Initial Config (No NATGW)

  • SNAT is done on the firewall interface
  • Firewall eth1/1 private and public IPs:

Testing:

(for testing I’m using curl from the internal VM towards another VM running in a different cloud provider running NGIX)

  • Firewall PIP interface is used

NATGW

Once a NATGW is attached to the firewall eth1/1 interface subnet, the NATGW takes precedence:

Testing:

PIP can disassociate for egress only case

Adding Multiple Private IPs

  • we can add multiple IPs to the external interface (with/without public ips):
  • PAN NAT configuration requires no change as from their documentation:

The advantage of specifying the interface in the NAT rule is that the NAT rule will be automatically updated to use any address subsequently acquired by the interface. DIPP is sometimes referred to as interface-based NAT or network address port translation (NAPT).

References

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/dynamic-ip-and-port-nat-oversubscription#id2a358bd4-94c0-4976-a681-dad3845f8174

Leave a Reply