Static NAT on Palo Alto

In the previous article I created a Palo Alto VM in OCI and now i will continue with a classic use-case: hide a server behind the firewall (static-NAT)

What is different in the cloud from on-premise? Well, on-premise the firewall would have on it's external (outside) interface a public IP address and when you do a NAT the packet that will exit the firewall will have a public IP address.

In the cloud, the public IP address is ephemeral and it is not configured on the vNIC. After the packet exits the vnic, it gets NAT-ed one to one to the public IP address. The NAT process is transparent for the firewall and it will not alter the source port and source destination of the packet.

In order to do a static NAT on-premise, the firewall creates a one to one NAT for that IP address that needs to be statically NAT-ed and this NAT IP address can be categorized as a secondary IP address of the outside interface. The firewall will be responsible to publish the ARP of that ip address in order for other devices to be able to reach that ip address.

In the cloud there isn't such a process. The user will assign secondary IP address on the outside interface and the cloud would know how to reach that IP address. Please note that you can assign one primary IP address and up to 31 secondary IP addresses.

Bellow i will use a scenario in which Palo Alto VM is attached to 3 VCNs: Management, Inside and Outside. In the Inside VCN there will be a VM that needs to be statically NAT-ed. In simple words, this VM will be published to the Internet by the firewall.

The scenario used is depicted in the network diagram below:

The Palo Alto VM is attached to 3 VCNs:

• Management - Public Subnet: 192.168.12.0/28;

• Outside - Public Subnet: 172.30.0.0/29;

• Inside - Private Subnet: 172.31.0.0/29.

The IP addresses on the PA are:

• Eth1/1 - Outside 172.30.0.3

• Eth1/2 - Inside 172.31.0.2

The server (fra-linux1 172.31.0.3) is in a private subnet and can't be reached from the Internet.

On the PA-VM we will create an additional IP address which will be used for statically NAT the server:

Client will connect from the Internet to the Public IP address of 130.61.194.3 which will be translated by OCI into the private IP address of 172.30.0.4. For Palo Alto this IP address is the external IP address that will be used for the NAT.

PA-VM will translate 172.30.0.4 into the real ip address of the server (172.31.0.3).

In order to direct the traffic from the Private subnet to the Internet, in the Inside VCN where the server created, we will have a route table with an entry for the default route with the next-hop  the internal IP address of PA (Inside interface):

In the PA-VM these are the Object that will be used:

As you can observe, the PA doesn't know about the public IP addresses that are connected to it's vnic.

Palo Alto packet flow logic can be observed below:

In order to get the NAT working we need the following rule:

The following security rule was added:

where fra-linux1_NAT_in is the 172.30.0.4.

As a test a tcpdump was started on the server and we will attempt to connect from the internet:

With this successful connection i will end this series of articles on Palo Alto. I started with the import of the Palo Alto's image , then i continued with the creation of a Palo Alto VM in OCI and I finish with an use-case for the firewall deployment.