NAT, VPN on the Firewall which is behind a router situation

thehourmanthehourman Member Posts: 723
Hello guys,

I have a situation.
See the topology.
My network is another organization which is connected to the main organization. My network is not connect to the ISP, but to the main organization.

To make it simpler, my ISP is the main organization which is connected to the real ISP.

[ISP]
[Main Org]
[MX]
[PA]
etc.


The MX router is connected to the main organization. And it has a static default route with a next-hop of 150.1.10.62.
The MX has an OSPF neighbor relationship with Palo Alto (PA) firewall. The PA is getting a default route from the MX via OSPF.

MX ge-2/1/0 (to the Internet): 150.1.10.6/26
MX ge-1/1/0 (link to PA): 172.16.0.1/30
PA eth0/1 (link to MX): 172.16.0.2/30
PA eth0/2 (link to corp net): 172.16.1.1/24 (there are more 172.16 networks behind the PA)

At this point, all the routers and firewalls within my network are able to see each other via OSPF. However, the PA needs to NAT the users and servers and create VPN site-to-site and remote access VPN out to the Internet.

My network is in 172.16.0.0/16
The PA firewall will have a site-to-site VPN to the other branch office.
The PA firewall will be responsible for NAT-ing to the Internet.
The PA firewall will also do the static NAT for DMZ servers.

My network extend all the way to the MX and that is as far as my network owns. Now, requesting a new public IPs would be close to impossible at this point because users are coming on Monday and the bosses expects that the network should be up - NAT, public facing servers, VPN, wifi, etc. I'm gonna be working today (Saturday) to get this going for Monday.


Also, the public IP I got is not the entire/26. I got a range of public IPs out of /26. The main organization owns the /26. My MX router is connected to the /26.

(ISP)---(Main Org)---/26---(MX)
etc

The public IP subnet is 150.1.10.0/26
The main organization provided us 31 public IPs out of the /26 for our servers, VPN, etc.

The IPs we got from 150.1.10.6 to 150.1.10.37.


I was told that I could create a static route on the PA with the next-hop to discard/reject (for Cisco folks this is Null interface). The static route is the public IPs.

Now, once I got this to my PA route table, I should be able to export these static public IPs to OSPF, so that the MX router will receive the public and install it to its routing table.

Now, I should be able to do my NAT (1:1 NAT, PAT, etc) on the PA firewall since the MX knows where to reply at this point.

I don't know if this is even possible.
Any inputs will be greatly appreciated.


Thanks
Studying:
Working on CCNA: Security. Start date: 12.28.10
Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
Reading:
Network Warrior - Currently at Part II
Reading IPv6 Essentials 2nd Edition - on hold

Comments

  • DeathmageDeathmage Banned Posts: 2,496
    I understand it all, would probably take me a good day to do that all.

    Once you know the WAN addressing and the next hop to ISP it's just a matter of designing the network. Best bet is to draw out your network on paper and map out the connections.

    I presume you know ip addressing, etherchannel, L3 etherchannel, route redistirbuation, RSTP, PAT, ACL'S, inter-vlan routing, IP helper-address placement, floating routes, Jumbo Frames and name server configration at L2 and L3, as knowledge of all this will be needed...

    It wouldn't be too drastically hard to do, but you yourself need an understanding of the basics if you're going to pull it off...

    Question is for you is does this network have multiple vlans and if so do you have path routing enabled for these routes on the servers? ...Are you also responsible for managing the servers that connect to this infrastructure, you need to enable routing if these server live on multiple vlans, etc: printing, wireless, servers, desktops, accounting, HR, marketing, etc.

    Have you ever designed a network of this scale before or in a home-lab?
  • thehourmanthehourman Member Posts: 723
    I was not asking to design the internal network. I would like to know how to approach the NAT part on Palo Alto since it is behind the MX router which has public IP. Currently, the Palo Alto does not have public IP and has OSPF neighbor relationship with MX.
    I was told since the Palo Alto needs to do the security stuff, the MX needs to be configured in a bridge domain and the Palo Alto will be doing the routing.
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • devils_haircutdevils_haircut Member Posts: 284 ■■■□□□□□□□
    We have a similar setup in many of the schools where I work, although we use Cisco ASA's, for the most part.

    The router has a public IP on both the outside and the inside interface within the subnet we are given. Then, the firewall gets a public IP on the outside interface with a default gateway of whatever the public IP is of the router's inside interface.

    The firewall's inside interface gets a private IP that falls within whatever our internal IP scheme happens to be (usually on its own VLAN). Then we do PAT using a a different public IP than what we used for the firewall's public interface (or several IPs, if we have that much traffic).

    Does that answer your question? If I'm understanding you correctly, then it seems like you might just be overthinking this. Let me know if I'm way off.

  • thehourmanthehourman Member Posts: 723
    It is supposed to be like that. [ISP]----/30
    [Router]
    /26
    [Firewall]
    /private IP----
    The /26 is a public IP block from ISP, and the default gateway is the router. However, my situation is similar with the exception of the firewall has private IP to the router.
    Also, I don't have an ISP. My MX router is connected to the main organization who provided a public IP range to us. Basically, my ISP is the main organization and the main organization has connection to the ISP.

    I think have fixed the problem. I created a bridge domain between the port connected to the main organization and the ports connected to the firewall. I gave the firewall a public IP and its default gateway is the main organization instead of my router.
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    I have done what you are asking where there is a private IP between the FW and the edge router. We bound the public IP for the VPN to a loopback interface in the PA and configured a NAT profile for the traffic.
    When you go the extra mile, there's no traffic.
Sign In or Register to comment.