Let's Talk About Palo Alto - Source NAT for Internet Access

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to continue our palo alto series by taking a look at our next topic which is going to be sourcenap now for those of you that come from the cisco world on a cisco router this is no different than creating defining the interfaces that you want to participate in that so net outside net insight creating an access list to match on the source of where the traffic is coming from with the standard acl and then calling that acl from the global process the ipnet inside source list palo alto does it a little bit differently and they call it a source-based app because you are basically saying for example with windows 10-1 when he wants to go to the internet because windows 10-1 will be able to actually do this we'll actually show this here in just a minute where we're going to say traffic from the inside zone to the outside zone we're going to allow that traffic to be nat hid so it's the process is actually very very straightforward but unlike a router and even like an asa you need to actually explicitly permit the traffic so first the first thing you need to do is create a nat statement underneath the policies tab then you need to create a security policy to allow the traffic to flow through the firewall and that's what we're gonna actually walk through the process of doing when i say sourcenet i'm referring to traffic that originates from the inside or the trusted portion of the network to the outside so users that are trying to reach the internet keep that in mind you'll be in good shape so i'm going to go ahead and pull up paul of the firewall and i'm going to log in with the credentials there and we're going to log in again for some reason it take care of that real quick so we're going to create a couple a single net entry so we're going to do from the inside to the outside and go through all that good stuff go ahead and give that a second to load up i'm going to go ahead and get out of the way close that out and what i'm going to do is i'm going to come over here on policies and the first one we're going to create is going to be a nap policy and that policy i'm going by default there isn't one that exists so i'm going to go ahead and click on add and then we're going to call this internet nat we've done that we're going to say the net type is ipv4 we could specify ipv6 if we like but we're not going to the original packet so this is going to be the original inside connectivity the source zone will be inside and then we have to specify where the traffic will be going to okay so we're gonna say the destination zone is going to be outside and the destination interface in this particular case will be ethernet one slash one so we're gonna pull this down here and we're gonna say ethernet one slash one now if we wanted to we could define source addresses if we wanted to so if we wanted to say only the 10.1.10 network or any other particular address range that we want to allow if that's where that's going because you might have a very you might have lots and lots of subnets that are being learned through dynamic routing from these different particular areas and if that's the case then you would want to mitigate which particular subnets you don't want to reach the internet not everything in the enterprise environment needs to have internet access so keep that in mind if you are looking at a deployment but right now we are going to say any traffic from the inside zone to the outside zone if and the traffic will be going out the ethernet one slash one interface towards the internet so that's the original packet and we're basically saying anything we could be very specific if we wanted to be but we're not going to say that we're basically going to say whatever traffic is source is going to be sent now the translated packet where we want to do this it's going to be a source address translation again we're focusing on the inside traffic so we don't want to mess around with a destination address translation right we want to make sure we specify source because that's where the traffic will be coming from is from the inside we're modifying the source ip from 10.1.10 over to a 101 ip so what i'm going to do is the translation type is there's a couple of them you have static which is going to be a one-to-one mapping so for example you could map an internal ip address of 192.1 actually let me whiteboard this little piece out because this can be a little tricky to follow so the static ip here static means that you're going to do a static mapping from let's say 192.168.21.63 to 101.0.0.63 for example regardless of what happens this communication going back and forth will always be on so this is a static entry in the net table it's always going to be there so if traffic come from the outside hits this ip is going to be sent to this direction to this internal ip if traffic from this particular ip is going outbound it'll be natted over to this particular ip okay you have dynamic ip this is going to be a this will be a scenario very similar to that of an overlapping address range so what will end up happening is if you have a 10.1 10. 1.10.0627 you're going to map this to a 101.0.0.1 range and you're going to say dot zero well you could use dot zero but in most cases you're not going to we'll say from 1 through 31 well actually let's say 30 and over here will be 1 through 30 for the last type for the ip addresses it'll be in overlapping mapping right so you'll have communication going back and forth and you'll open up ips and go that route so basically it's a dynamic allocation the last one a dynamic ip and port will basically be the concept of port address translation where you're saying i'm going to map everything from a 10.1.10.04 over to 101.0.0.10 and you're going to map everything over there and you're going to be using tcp and udp port numbers to basically generate new sections and this is the one we're going to be dealing with right here at least for right now then we'll deal with the static nat static source nat then we'll deal with a destination based net and go from there that's that's how all this stuff comes into play pretty straightforward stuff but we're going to be dealing with this guy right here we're going to choose this and it asks what is going to be the translated address right now we're actually going to come down here to interface address the interface address that we're going to choose is going to be ethernet 1 one and if we hit the drop down it's going to map to this ip again this is basically saying anything from 10 anything from the original packet so in this case your 10.1.10 although we're not isolating it down to that there's only one subnet now when we go a little bit further along and we start to add in more and more connections on the back end so we'll add in loopback addresses on these routers when we get to dynamic routing or no we're we haven't gotten to that part yet but when we get to more complicated designs with natting and allowing traffic to go back and forth we'll add in those things and you'll see multiple subnets coming in from a particular interface that's where on the original packet defining where the source is coming from will be important because then you might actually have to dictate what those are because there might not always be the case where the server might not always be physically connected to the firewall you might be using dynamic routing where the server might be five six hops away from the firewall and buried in the dmz somewhere and you need to allow communication from the outside to the dmz server and that's gonna be one of those things you'd have to take a look at so just keep that in mind so that's basically where we're going destination address translation we're not messing with that we're going to click on ok so this is going to provide us the port address translation so we look through here this is and we'll see how this all comes into play and all that good stuff so i'm actually going to click here columns and i'm going to uncheck tags i'm going to uncheck modified and created and we're going to get rid of the original packet service because we don't care about that the translated packet translation we can keep that so we should be good to go there we'll be able to scroll back and forth the next thing that i want to go do is i need to go over here to the security policy and i need to create a new policy i'm going to call this internet nat and in this case here i'm also going to say policy it's going to be an enter zone policy the source zone will be inside and the destination zone will be outside the application we're going to say is whatever service is going to be whatever action is going to be allow and we're going to click on ok and that's basically what we're doing we're basically saying allow any traffic from the inside zone to the outside zone we don't carry the address we don't carry the user we're going to just allow it to come through and be translated over and everything should work just fine so you can see that that comes comes down here we can always put this at higher up if we wanted to and go that route so unless you let's go ahead and actually do that we're going to scoot this guy at the very top so now he is at the very top of the list and then more specific routes technically speaking because this is going to be inside to outside traffic from the inside to the dmz or traffic from the inside to somewhere else in the network that's internal wouldn't even touch this one that they would be bypassed to process id or sequence number two or four or what have you what i'm also going to do is i'm going to come in here on this particular the test one i'm going to go ahead and delete it yes because we don't need to have it there i'm going to go ahead and commit that config i'm going to commit it again and i'm going to pause the video until the process has been completed all right so our policy has been applied i'm going to go ahead and close that out go back to the monitor session tab and we're going to go ahead and open up wind 10-1 again go ahead and pull this guy up i'm going to get out of the way and we're going to close this guy out for the time being and what now you'll notice that the internet connection still says that it's down there's no internet no internet access um but if we do an ipconfig we have ip address information right if we ping uh quad 8 but we can't bring google right or i'm sorry we can't ping the ip address or the firewall because it'll drop it i'm gonna go ahead and ping it and that should allow me to go out to the internet and i don't know if you notice this but as time has progressed it's allowed it to go out so i'm going to come back over here to this guy and now we have all kinds of communication going outbound so now it says windows licensed for valid or windows license is valid for 90 days and our ping to quad 8 works so we should be able to ping google.com and that should work as well so we're able to do dns resolution which is a great thing so i should be able to pull up internet or microsoft edge and i should be able to point to google.com give that a couple seconds to launch and all that good stuff i'm going to go ahead and close out the windows firewall because i don't need that there i'm going to click in here and google.com and give that a couple seconds to do its thing and it should be trying to go out to google let's go ahead and bring this guy over so we can see it better and we're going to resync it up and we can see web browsing is kicked in so that's going inside outside everything looks good there come over here to the policies tab on the security policy if we scroll across here we can see that there's it's going to take a little bit of time for it to actually happen but you'll start to see a bunch of hit counts starting to work and guess what ladies and gentlemen we have google pulled up on our web page on our pc behind the palo alto firewall so that ladies and gentlemen is how you go about doing a sourcenet configuration you first need to create the net entry and then you need to create the security policy that allows the traffic that's pretty much it for source nat we're going to take a look at a static nat as well for that and go through those details as well until next time guys thanks so much for stopping by and hanging out with me and we'll catch you guys in the next video
Info
Channel: Rob Riker's Tech Channel
Views: 1,291
Rating: undefined out of 5
Keywords: palo alto, palo, alto, firewall, security, nat, internet, source, access
Id: Y1z9m_nacBQ
Channel Id: undefined
Length: 14min 30sec (870 seconds)
Published: Tue Sep 01 2020
Related Videos
Real World Networking - What is it like to be a REAL NETWORK ENGINEER
Rob Riker's Tech Channel
3.6K
How to spec out a server for your home IT lab
Rob Riker's Tech Channel
1K
Tutorial: Understanding the NAT/Security Policy Configuration
Palo Alto Networks LIVEcommunity
75K
Basics of Stock Market For Beginners Lecture 1 By CA Rachana Phadke Ranade
CA Rachana Phadke Ranade
18M
A Prayer Meeting for Firewall USA
Patricia King
107K
How to configure URL Filtering on a Palo Alto Networks Firewall | PAN-OS 9.1
MB Tech Talker
1.4K
Let's Talk About Palo Alto - Static Source NAT and Adding Internet Access
Rob Riker's Tech Channel
476
Palo Alto Lesson: 10.6 Lab: GlobalProtect
Astrit Krasniqi
8.1K
Palo Alto Firewall Training | HA
Network Direction
11K
UDP and TCP: Comparison of Transport Protocols
PieterExplainsTech
1.1M
Let's Talk About Palo Alto - Layer 3 Interfaces, DHCP Server and Static Route
Rob Riker's Tech Channel
1K
Publishing Services with Bi Directional Source NAT Policies in the Palo Alto
Ed Goad
1.4K
Palo Alto Lesson: 10.10 Lab Site-to-Site VPN
Astrit Krasniqi
5.2K
Cisco ASA 5505 Firewall Initial Setup: Cisco ASA Training 101
soundtraining.net
568K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.