Palo Alto Networks PCNSE Topic: Network Address Translation Part 1
December 14, 2022

1. Understanding Dynamic NAT and port

We’re going to start talking about network address translation. Network address translation is used to preserve IPv4 addresses, which are basically running out. It’s recommended to go to IPV 6. There’s a section for IPV 6. So we’re going to talk specifically about IPV 4. The next allows you to conserve IP addresses that are public IP addresses and allows you to connect the private IP range, which is referred to as RFC 1918, to publicly routable IP addresses on the internet. So RFC 1918 is for private addresses that are not routing on the internet. And the ranges are 10, 8172, and 160 when you are connecting your internal devices. So this is the inside of the LAN, and this is the outside. Then there’s a firewall on the inside. RFC 1918 private IP address ranges are typically used, and RFC 1918 addresses are assigned to your devices. However, to get to the internet, you have to have a publicly or audibly broadcast IP address.

So in order for us to achieve this, the firewall does something called “Network Address Translation.” So what network address translation allows the firewall to do is hide your private IP address (RFC 1918) behind a public IP address that’s assigned by your service provider. In this manner, your internet traffic can be routed. Traffic from the inside going to the internet will be basically hidden behind the net IP address of the public IP address of the firewall’s outside interface. This is referred to as a “dynamic network.” dynamic net with overload, basically overload Why overload? Because I can have 1000 machines here, all of which are hidden behind this public IP address through which the firewall connects to the service provider. So in dynamic net you would have the firewallhiding your IP address behind a single IP. So the internal RFC 1918 will be hidden behind a single IP address, and that single IP address will basically translate all the traffic going from the inside to the internet. This is a one-way net, meaning that it’s one too many. So I have this one IP address, singleIP, and then I have many machines here that are hidden behind that single IP address. However, this is a single-direction net, meaning that it only allows you to hide net traffic going from inside out or dynamic outbound traffic behind a single IP address. So you cannot host the servers on that IP address.

So you can’t usually host the servers; I mean, you can have a static net, which is what we’re talking about here. So how did this magic happen here? By hiding the IP address behind the single public IP address. So basically, what the dynamic network does is create TCP sessions and UDP sessions; UDP is stateless, TCP is stateful, and in the case of either TCP or UDP, the actual conversation between two TCP hosts will have a client, and this is the server. When the client communicates with the server, it picks a TCP port, and that TCP port is a random port. And this random port is any port from this IP range between 1024 and 6535. And, in essence, it will initiate the connection, which will have a source port, say 1025, and a destination port, which could be 443 in the case of an SSL server. The actual client here has a private IP address, let’s say 170, 216, 61, and 20. I’m using ones that we’re going to be using in our lab. And then it’ll use random port 1025 to connect to a Google IP address, a Google web server, say eight portfolio, three. The firewall is in the centre of this diagram. And then there’s the private IP range, followed by the public cartable address. Assume the public street address is 1111, 2nd Avenue.

So the firewall would use the port you have configured as a source port and then your IP address. So it’s going to do this one: 7216, 120, port 1025. It’s going to basically translate it into the public IP address. Eleven, 1111, two, and then a random port in the year 2025, correct? So your source port will be effectively hidden and changed to a port that the firewall will store in a database. So you connect to the server. Your IP address Now on the server, Google would see you coming in from eleven, 1111, 2025.So you connect to the server, your IP address is changed to the interface’s public IP address, and then the 2025 here, and then the Google server responds back using its own source port, which is now 443. And the response and destination port would be 2025; the source port would be the source IP, which is 8 by 8 by 8. And this is the finished port: eleven, 11:11, two. So this piece here is called the client-server to server.And then this is from server to client. And we’re going to see this when you do the show session. Now the firewall gets that packet, the return packet, and then basically looks up its database and says, “Oh, 2025 belongs to the host.” 170, 216, and 120 Oh, I’m going to go ahead and ship it out. Change the destination port to be 172, 16, or 120, and then send it out to the client for it to get received. So the firewall plays the role of translating the source of the traffic and then translating the reply to the source. It does that. And this is called the dynamic network.

There are some other things that the firewall does besides just doing port translation. There are protocols that require the firewall to intervene in the connection. and one of them is FTP. When you try to get from the client to the server, you have a client, and the client tries to get a file from an FTP server. The client would request a file from the FTP server. And what happens is the client picks a random port, like 1050, for example, and it sends the request to the FTP server on port 21. and this is called the control connection. So the firewall sits in the middle here. It might change the source port to 2050, change the private IP address to the public IP address, and then send it to the FTP server. The file had now been requested. So in TCP, you have a three-way handshake. This would happen. The client talks to the server, the server talks to the client, and the firewall in between here translates the traffic. But there are two types of sessions: FTP, where you have control, which is basically the client requesting the file from the server. And then now we have the data connection. The file needs to be translated and downloaded to the client. So what happened in that case? There are two types of FTP. There are two modes: active and passive.

So in the case of active mode, the client requests from the server that if you want to send me a file, send it on this other port, like 1070. And when the FTP server starts to transfer the file, it’s going to send the file back to the client. The firewall here sits in the middle. It has to translate that request for the port that the FTP server would send the file to, change that and the FTP request, keep it in mind, and then change it to 2070. Right. And then the client will request 1070, the firewall will change that, and the request from the client to the server will change to 2070. Then it will essentially wait and listen for the file to be sent to 2070. And then once the FTP server starts sending the file, the firewall knows that this belongs to this session and sends the file to the private IP address of the client on port 1070. So this active mode requires the firewall to do some work. The firewall’s job is to act as an application layer gateway. There are multiple protocols that require intervention from the firewall by changing the ports and the communication so that it can basically send the data back to the appropriate client and then listen to the conversation and send it to the appropriate client. So the application-layer gateway functionality is used by the net devices. And, of course, one of them is the ability to fix what’s known in the CiscoASA world as picking up the conversation to ensure that the applications are not broken. That’s an example. So this is a TCP. We talked about TCP. What about UDP? UDP also requires the firewall to do the port translation, right? because you could have so many different clients. You have the firewall here, and you have different clients inside who might send the UDP request.

And that UDP request might be coming from the same port; let’s say UDP port 1100. And this client happens to send 1100 as well. So in the case of UDP, the firewall translates the source port the same as TCP. The only distinction between UDP and TCP is that TCP is stateful, whereas UDP is not. So what happens is that the firewall sits in the middle and listens to the UDP conversation and then does the same translation. So you have two clients with the same port source that are sending requests, and the firewall wouldn’t need to translate those two different ports. So here, it’s going to translate this from this client to UDP port 1200. And for this client, it’s going to change this to port 1300, and then it’s going to send the request out and then wait for the response from the server. And then, once the response from the server comes in, it’s going to repackage the response and send it out to the client. So the UDP is the same thing. So there’s also the UDP application-level gateway, and some of the protocols that require the firewall to intervene are Sip, just an example of a protocol that requires the firewall’s therapy. So in the case of a dynamic network, you can have a public IP address, and that public IP address can technically handle as many as 60. So you have ports, and the ports are starting from 1024 to 65 535.

And so you can have up to 60,060,5000 sessions, not IP addresses. What if you’re exceeding 64,000 sessions? In that case, you need to do something called a “dynamic net pool.” “Hey, use 111111 three through 111111 five,” you tell the firewall. So you would have 64,000 sessions. So you have three, four, and five. And the firewall will basically start translating the communication between the private and the public. Consume 64,000 sessions from the first IP address before moving on to the next. So that’s called the “dynamic net pool.” So there are two types of dynamic net: dynamic net relying on one IP address, which could be the IP address of the firewall, or it could be any IP address you have that you can specify, or dynamic net pooling that allows you to extend the number of sessions that can be supported by the firewall. In the case of communications that exceed 64,000 sessions, they exceed the limitation of one IP address. So the firewall basically starts translating some sessions to this IP, then some sessions to this IP, and some sessions to this IP. So that’s dynamic, and we’re going to see how to configure this in the lab.

2. Dynamic NAT and port configuration examples

We’re going to start configuring the net in the lab to kind of see how things work and get more details on net configuration. This is the unit lab file. We have an ISB router, which connects my home network to the bridge network. And then you have Ethernet. one on ISP one that connects to ISP two. And then this is Two has three interfaces. Each interface is in a different DRF, and we have Ethernet One and one for Service Provider One. Ethernet one, ISP two, Ethernet two. Ethernet one. Three. Three ISPs out of four This is the default VRF, VRFISB 2, and VRF ISB 2 ISP 3 configuration. The IP address of this interface is 11111, 222, 22, 22, 233, 33, 33 two. And I’m going to post the configuration of this router and this router’s unit lab file there. And then you have this: Ethernet One connects to One, Ethernet Two connects to Two, and Ethernet Three connects to Three. Then I have this for the inside zone (Ethernet 1-5) and this for the DMZ zone. And here I added the Ubuntu server that we’re going to be using for testing. And that Ubuntu server has two Ethernet interfaces, one connected to the inside and one connected to the DMZ. And this is for me to save on CPU processing on the box that I have when I want to test inside Nets; I’m going to shut down this interface. And then when I test DMZ, I’m going to shut down this interface. This router here does network address translations so that I can basically give access to that entire setup over the Internet.

I’ve connected the Pallet of Firewall to the management interface and assigned it an IP address for management. The IP addresses are then basically configured for the Ethernet for the appropriate zone. Those three zones are in the wind zone. Those three interfaces, I’m talking about, are in the wind zone. This interface is in the inside zone, and this interface is in the DMZ zone. This IP address is 170, 217, 1124. This IP address is 170, 216, 1124. So I’m going to upload to this lecture the Tar file for the configuration of uniclab, the configuration of ISP One, the configuration of ISP Two, and the configuration of the Paulo Firewall. So this way, it’s easy for you to replicate it when you create a bunch of servers. You can watch Unit Lab videos online that basically show you how to create a server. I’m basically provisioning a VM virtual machine on the unit lab and configuring it to boot from the Ubuntu ISO file, installing Ubuntu, and then installing the Ubuntu-specific software. Here I have a Windows machine, and here I have another Windows machine. That Windows machine is connected to three different interfaces. It’s connected to Ethernet. One is connected to the DMZ; Ethernet Two is connected to the inside router; and Ethernet Zero is connected to the inside interface. This way, I can shut down an interface at a time and test things in each segment and also test things behind the inside router. So the inside router is basically sitting like this. You have the Ethernet; this is the inside interface on the Polo firewall, and then I can have another segment here. So I’m going to create another segment called 24.

This way, I can test stuff that is not on the same segment of the firewall. So you want to take a seat? The server is right here. And then I can use the Windows machine to test any one of those segments, including something that’s not on the same interface that’s not on the same broadcast domain as the firewall itself. Because I want to show you a couple of things that are issues with the Internet that you need to be aware of. Let’s take a look at the management interface for the firewall. Okay, so on the interfaces for the Palo Firewalls, I have Ethernet representing the Internet connection. The DMZ is Internet 172, 17 1124, and Ethernet 5 is 172, 16 1124. And then under Policies, under Policies Net, we’re going to create a net entry that we’re going to use with the dynamic net now to basically hide the traffic from the inside segment behind the public IP address of the Ethernet one one.So we’re going to call this net “dynamic,” and we’re going to specify the source zone, which is inside the destination zone, and then the destination interface. You do not have to specify any interface; it’s outbound, and you’re not tying into a static net entry.

We’ll see this when we create staticnet entries and specify ethernet one, any, and service any, and then any protocol, any service is translated against that. And then we’ll specify dynamic IP import followed by interface address; we’ll hide it behind the interface address, and the interface address is Ethernet. We’re going to select the IP address of the interface, which is Ethernet too. So that’s that. So now, basically, the dynamic net would rely on one critical thing: the default route, because that’s going to dictate how the traffic is going to be routed. So those three ISPs are going to be in the “virtual router default,” which is the default virtual router. And then we’re going to have a default static route. A default static route would send traffic exiting it out. Ethernet One One sends in traffic for which it has no specific route for any Internet service or Internet IP address; it will send it out. Ethernet One We’ll have a default route that specifies anything for which you don’t have an IP address range. Send it out Ethernet one at a time, using the nexthop, which is the ISP router’s IP address.

that is eleven (11) So the default route would be zero, and that’s going to be exiting out Ethernet 1, and then the next hop would be eleven dot eleven dot eleven dot one. So if you look at the virtual router configuration, you have to have the virtual router steering the traffic where it needs to go. So under “Network Virtual Router,” if we click on “default,” this is the default. By default, you have a default virtual router, and all the interfaces are there when you create the interface youput it in by default it’s there.But you can create additional virtual routers. And we’re going to see this in the routing topic. We are going to create a static route. We are going to create a default route. I’m going to call this name the default route for ISP 1, and the destination is zero. The egress interface should be ethernet one, and the next hop should be 1111 one. And then, for the time being, under policies, we’ll add under security policies, sorry, security policies. We’ll add dynamic outbound traffic and then specify from zone inside to destination, when, and service. We can have a rule for each service. So, for example, let’s create a rule for application web browsing and SSL and SSL.And then we’re going to call this the traffic web. And we are going to create another rule for DNS. The source is contained within the destination, when, and application DNS. Okay. And then we’ll make the commitment. And here I have a Windows machine; the Windows machine’s Ethernet zero is on the same land segment as the Ethernet one-five, the inside interface of the Firewall. So, basically, I’m going to use a static IP address and then configure the Ethernet interface by configuring network interface properties. We’re going to give it an IP address on that segment. 172, 16, dot one, dot ten five to 50, 172, 16, dot one, dot one. And then I’m going to add a DNS server. Click okay. Click okay. So now we should be able to ping the commitment, so we should be able to ping Google.com.

And there you have it. So let’s take a look at the firewall sessions. So we see the ping here. If we go to show session ID 50, we see that the client-server flow is 7216, 110. That’s the Windows machine destination and eight source ports. This is the IP address. So it really doesn’t have a source board, but it creates a kind of pseudo-source board to track the session. And then, if we see here that the net rule is net dynamic, let’s go back. The rule application is “ping.” The rule is “enter zone default,” which means I didn’t do something correctly when I didn’t add a ping. So let me add a ping. So I made the enter zone default to allow, so I’m going to go ahead and add ping to this rule. This is how we interpret the rule. So while this is going on, let’s go ahead and open our Google web browser and go to @yahoo.com here. So let’s do a show session. All we see are some SSL sessions. An example of a session ID 167 is Session 167. The client to server address is 170, 216, 110, destination; that’s the public IP address source port; that’s the source port that the client chose, which is a port greater than 1024. And then the destination port is trying to reach that web server on port 443 for the client. You see here that the server client’s source is the IP address of the public web server. Destination is the IP address of the public IP address of the firewall, which is 11, 1111, 2.

The source port is going to be the source port of the server responding. However, as you can see, the destination port is 36, 7, 2, 3. That means the firewall changed the port, the client-server source port, from 1096 to 36, 7, 2, 3. Like we explained in our previous lecture, the rule that is matching is outbound traffic web.The net rule is then net dynamic. So that shows you the actual configuration of the dynamic network. It’s pretty straightforward. So there are two steps that happen. The first step is the firewall getting the packet. It looks at the virtual router and determines what the default route is, and then the default route dictates what interface is going to exit out. And then it’s going to check the policy, the net policy, to determine if there’s a match for that traffic. And then also, it’s going to check the security policy to determine if this traffic is allowed, and if it is, it’s going to go ahead and send it out. That’s how the session is going. And then you can see the translation that we described in the previous lecture showing up here. The firewall switches the source port to a random port and then tracks the session based on traffic. When traffic returns to that random port, it’s going to send it back to the IP address device that initiated the connection in the first place.

So that’s basically the dynamic network. So, we talked about dynamic netting and dynamic netting pools. So the dynamic net can support up to 64,000 sessions. But what if you have more than 64,000 clients who may require more than 64,000 sessions? In that case, we’re going to create a dynamic IP pool. So we are going to change the translated address from address type—from interface address to translated address. And then we’re going to specify an address or address group. so you can specify an address group. That means it’s going to choose between those addresses. So we’re going to say, “Well, let’s call this ISP One Pool,” and then we’re going to add IP addresses here. We’re going to create another address called ISP One Three, ISP One Eleven Four, and ISP One IP 311 1111 Four. So we’re using a pool of addresses, and then we’ll click okay, so ISP pool, and we’ll select that. So let’s see what happens. Now we’re going to go ahead and commit, and then let’s go to a different website. Let’s wait until the committers first commit it. We’ll go ahead and go to CNN.com, and let’s take a look and see the sessions.

So we see that some web browsing sessions show session ID 205. All right, so here I picked the first IP address in the pool. If I were to initiate enough sessions to exceed those 64,000, it’s going to start using the next IP down. Then it maps as if the client’s original source port was eleven five. This was mapped. So if you get an exam, a screenshot like this, and you can basically identify which was the source port and which was the translated source port, because that’s what’s going to show up in the destination port, that’s what you’re looking for. Then we see that the matching rule is the same on the traffic web. Furthermore, the net rule is net dynamic. The egressinterface is ethernet, and the egress interface ethernet is determined by finding the route. If you don’t have specific routes in your firewall, it’s going to choose the default route, which basically sends it out. Ethernet one, with 1111 one as the next hop. So I’m going to post the unitlab file for this, followed by the configuration of ISP1 and ISP2, and I’ll leave the Palo Firewall alone so you can practise configuring it. This way, you can do it yourself. It’s pretty straightforward, but at least you will have the unit left over to create everything. You also have the ISP one. ISP two.

3. Dynamic NAT and port Egress Interface Multipe ISP consideration

We want to expand on one topic that I mentioned. And what I mentioned in the previous lecture is that when you do a dynamic net, the first thing that the Palatifier would do is find the eager interface, and basically it would net the traffic against that eager  that eager intSo when it does the matching for the Internet, it relies on the criteria that you specify for source destination, interface, interface, and then service.

Okay, so in the previous lecture, we specified the source zone, source zone, destination zone, and destination interface, and in our case, the previous lecture did not specify any. When we did not specify that we set any for the destination zone, the source zone is inside the destination zone, and so on. So this is fine if there is only one interface in the zone; however, if there are multiple interfaces, you must specify. So let’s take an example. You have to specify the destination interface. So let’s take an example. On a firewall that has multiple ISPs, you have ISP 1, Ethernet 1, ISP 2, Ethernet 1, and you can have multiple ISPs beyond that. So in that case, I don’t specify any, and that interface goes down, and the traffic attempts to leave ISP 2, and I specify the interface, the dynamic pool of eleven 1111 2, and then this eleven 1111 x belongs to ISP 1. If I don’t specify the interface, then that would still match even though the traffic is going through ISP 2, and it’s going to be translated to an IP address that doesn’t exist on ISP 2, basically black-holing the traffic. So in order for us to make sure that we don’t get into that situation, if we have multiple interfaces in the same zone that we specify as the destination interface, that’s another thing.

Another limitation of the Palo Alto firewall is that when you specify dynamic IP import, the interface egress interface is used. In that case, you’d use Ethernet 1 or Ethernet 2, and you’d specify the IP address, among other things. If you specify the IP address, for example, and then the traffic goes out over Ethernet 1, it’s still going to get translated against 1111 two.Okay, so that’s something else we have to be aware of. Finally, if I have multiple ISPs and I want to create traffic, I basically want to forward traffic to the Internet using ISP one or ISP two. I need a default route, right? When you create a default route, you specify destination as zero, followed by the eager interface, interface. And then you also specify two other things: administrative distance and metric. One of the issues with the Palo Alto firewall that you have to be aware of is that when you configure it, you cannot configure two routes that are not differentiated by something. So if I have, if I want to create a five-degree interface for the second ISP, it’s Internet 1 and 2. Here the metric has to be different; otherwise, the pallautifier will not accept the configuration.

So if I have multipliers, please create multiple default routes. I’m going to specify this default route metric of 20 throughout the metric of ten. In that case, it’s going to accept it. If I try to add it without that, it’s going to reject it. So let’s see this on the left. So, as of now, you can add a multiple-source zone, referred to as the DMZ. You can have a specific source address, a destination address, or a translated address. Here we’re going to specify the dynamic IPM port. Instead of a translated address, which is a pool, we’ll use an interface address, and we’ll use Ethernet 1, 11, and 12. Okay. And then now they have multipliers. I want to create different default routes. So I have an ISP and an Ethernet connection. The following numbers are eleven, 1111, and two. 1122-22 is next on the list. So I need to add that route. So, let me go to network virtual router and add this default route called defaultisp 20 zero. 222-2221 is the next number on the list. Let’s keep the same metric and see what happens. Click okay. Okay. Oh, you need to specify the interface. You have to specify the interface, otherwise there might be another set of issues. So Ethernet 1 is the nexthub, Ethernet 2 is the egress interface, and click OK. And then click “commit.” and then commit. Let us now see if the power will reject it because it is not unique.

So you cannot have two routes with the same metric. You need to change the metric. So we’re going to go ahead and change the metric. So, statically, change the metric of this route to 20. It’s less preferred; the lower the metric, the less preferred it is. So Ethernet One is the default. Essentially, the preferred method is to most-exit out Ethernet one by one. So if Ethernet One is down, then basically it will take that route out of the picture. And then we’ll use the second route, which is 222-2221. So I’m going to go ahead and do that, and then click commit, and then commit. So, in accordance with the DMZ policy, you are now inside the destination. We specified the IP address instead of the interface when we didn’t specify it. So, even though the traffic goes outethernet one and two, the firewall continues to use 1111 and 2. So let’s see this in action. I’m going to go ahead and shut down the interface. Ethernet, one. The interface is ethernet in this case, and the default route over ethernet 1 and 2 will be used instead. So, let’s take a look at the showroute routing all routing routes command. And we see here that the default route is zero out, eastern, at one, next to eleven, 1111 one.So as soon as I shut down this interface, Shut it down and click OK; the default route has now changed to 2222 going out Ethernet next to 222-2221.

Okay, so let’s say you have a firewall and two ISPs. If the ISP connection goes down physically, then it’s going to flip the default route from zero to the other SB. Okay, now what happened? Now, if I tried to get out to the Internet, let’s see, I’m going to go back to my Windows machine here. I’m trying to get out to click on anything here, and I see here that there’s an issue. Let’s see what the issue is. I’m not getting through the internet show session at all. And if I look at the web browsing sessions, let’s pick this web browsing session here. Session 977 shows session ID 979. Sorry. Okay, so I see here, even though I’m exiting out of the Ethernet one. Oh, this is an old session. Let’s clear session all, show session all, and go ahead and try to refresh all filtersource ID 34. All right, so if we look here, even though interface Internet One is down, it’s still using that interface’s IP address. So it’s still bringing in traffic after 11:11. Two, if you look here, it’s still using that dynamic. So because I didn’t specify the interface of the network interface, that’s the issue I’m running up against.So we have to be specific about the net destination interface for dynamic networks.

So I’m going to go ahead and basically change this rule to specify the destination interface. And this is going to be the destination interface, Ethernet One one.And I’m going to go ahead and create another dynamic Ethernet. When the ISP fails, ISP2 sources within the DMZ destination zone are reached. And then the destination interface is now Ethernet, and then translate it to dynamic IP import, then interface address, and then Ethernet. You don’t have to specify the IP address; it’s still going to use the IP address of that interface. I’m aware that this is an example of doing so in the Amazon Firewall. You will basically have to leave that iPad address empty because it gets it from DCP. So let’s see if we can get in and see the new sessions now that I’ve made that change. I do a session; show session ID 1145. I see now that it’s using the correct interface IP address. So two things are happening at the same time. The first thing that happens is that routing determines which interface it exits through.

Then the net rules are matched, which are basically checked against the net policies, and it looks to see which interface it is egressing out of. So how can you tell if you’re not really sure? You can test this from the command line. You can perform a policy test and then source. Once we do 61, 50, or whatever predisposes the inside, we give it a source here, and then it’s going to be from the inside zone, inside to two interfaces: protocol SIX, destination port, port 80, and destination IP 8. Eight. So here, it says it’s matching. Okay, if we specify two Internet interfaces, one on each side, If I enter Ethernet 1, 2, it will be that. So that’s the easy way to test an app policy and figure out what exactly is getting translated if you’re not sure you can do that. So we looked at dynamic IP import; the same rules apply with dynamic IP import using a pool, the same rules apply.You have to specify the definition of the interface if you have multiple interfaces in that zone.

4. What is the difference between Dynamic IP and Dynamic IP and port with examples

So up to this point, we were talking about dynamic IP and port translation, right? Now we’re going to talk about dynamic IP translation. That is the distinction between dynamic IP and dynamic IP and port. The differences in dynamic IP and port, as we saw in the explanation a couple of lectures back, are that the actual firewall rewrites the source port to a random port. So, if the client machine’s source port was 1120, the firewall would intervene and change the source port to something random between 1024 and 65 536 in the case of dynamic IP.

And this is the reason why. Because one of the primary reasons for this is that you have a one-too-many translation, which means you have one public IP and many private IPs, okay? In the case of dynamic IP, you have a pool of IP addresses, but you want to assign each one a unique IP address. So let’s say you have a zone with 20 hosts, and you want the hosts when they get out to be translated against a dynamic IP pool. In this dynamic IP pool, the pool size is also 20 IPS. In our case, we’re going to show two hosts, or two IPS. The idea is that the firewall would basically get the source, get the communication from the source IP, start using the first IP in the pool, get the second host communicating, use the second IP in the pool, and so on until it runs out of IP addresses. So that’s basically the idea here. So in that case, what you need to configure is a dynamic IP. So let’s do that. In our case, we’re going to have the Windows machine at 170, 216, and 110, and the Ubuntu host at 170, 216, and 130. And then we’re going to create a dynamic IP. And then this dynamic IP pool will have a size of two hosts, and this will be used on a first-come, first-serve basis.

It’s going to hang on to that IP address until all the sessions time out for that IP address. So we will see now that the first dynamic IP that the rule that we created is for an ISP, and we are going to change the translation from “dynamic IP and port” to “dynamic IP.” And as soon as you do that, you have a list of IP addresses. Okay? So the IP address list is that we’re going to create a previously existing Ice Person with eleven, 1111, three, and four. So we’re going to specify that. Okay, so I’m going to go ahead and click commit. Let me clear all the sessions zero from the firewall now that I have two hosts, the Ubuntu host. And then I have the Ubuntu machine. Ubuntu is going to be the first one to communicate. So it’s going to be the one that takes the first IP address. So, let’s connect to Google and perform a Show Session ID session on everything. We see Google base session ID 27. And then, if you look there, the translation is 172 10.Oh, the interface is still down. Let me bring up the interface, the network interface up.All right, now I’m going to clear all sessions and wait for them to come in, and then let’s go ahead and run Google again. Okay, show the sessions. Show session. All Google Base sessions are visible. ID 47. Okay, so the source is 1610, and the destination is Google’s public IP address. The source port is 1640, which is translated to 11:11:04. But you notice something critical here.

One of the main things that differentiates dynamic IP import from static IP import is that the source port doesn’t change. So if you want to preserve the source port, you cannot really use dynamic IP and port; you have to use dynamic IP only. And as you can see in the client-server session, the source port was 1640. server to client, the destination port was 1640. So the source port did not change, and that’s the difference between the two. So show 170 216 Session All source filter source Let me filter the second host at 16 130.That’s the Windows server. Let me go ahead and update 130 to show session ID 246. This employs 111133, and the source port remains unchanged. The source port became the destination port. So that’s the main difference between dynamic IP import and dynamic IP. So one main thing to differentiate the two is that it’s going to be one-to-one dynamic IP. And because it’s one-to-one, I don’t need to overload the source port or change the source port’s IP address. So the size of the dynamic IP has to correspond to the size of the sources. Otherwise, if all the sources are initiating traffic and there aren’t enough IP addresses, the host that doesn’t get an IP address will not be able to communicate.

So there’s something called fallback that you create, and basically the fallback allows you to say, “Okay, I’m going to use dynamic IP for the first 20 hosts.” And then if host number 21 comes in, or in my case, if host number three comes in, I’m going to fall back to the IP address of the interface or fall back to a different pool. Okay, so let’s see that in action here. So I’ll go ahead and select dynamic, and then I’ll specify advanced dynamic IP fallback here. So I’ll fall back to an interface IP address and fall back to the interface IP address. What IP? the IP address of the interface, and then click okay. So if I click okay, now I have the show session. All I have is a session for the first host. There’s no session for the second host for this. Let me initiate the session for the second host. There’s a session for both. To trick the firewall, I’m going to change the IP address of the host. You have a unique IP address. Okay. Then I’m going to refresh. I’m going to filter by eleven. So, eleven here. Let’s see what’s in session ID 327. We see now that this is getting translated against the source IP address of the interface. And it’s doing the dynamic IP import now because, if you look at the source port here, it’s 1695, and the reverse flow destination port is 18 2 1 6. So using dynamic IP and falling back to dynamic IP import

5. Static NAT concepts and example

In this lecture, we’ll talk about static networks. Static net is a one-to-one translation between two different IP addresses. And the general idea behind static net, and typically how it’s used, is to hide a private IP address behind a public IP address, and that public IP address is going to be used to reach that private IP address. So let’s take a look at an example here. So we have the firewall, and we have a DMZ server. And that DMZ server’s IP address is 172, 6017, 150. And we have the Internet. And we want to add this behind 11, 11, and 50. So that’s a static-net situation. So in that case, we’re going to be netting one to one. As a result, any traffic sent from the DMZ server to the Internet will be routed through 1111 and 1150. The way that you create a static network is by specifying the source zone.

We say DMZ source address, which is 151, 72, 50, destination zone, which is Internet or wire in our case, destination interface, which is ethernet one in our case, which is the egress interface for the first ISP, and then you specify the static IP and IP 11, 11, and 50. In that case, when the DMZ server tries to talk to any Internet IP address, it’s trying to talk to eight eight.And what happens at port 80 is essentially the client-server flow. The source IP addresses are 170, 217, and 150, respectively, and the source port is, say, 1150. The destination IP is 8/8 and the destination port is 80. So when the firewall gets that packet, it’s going to look at the routing table to figure out how to reach the destination. And then, once it figures out how to reach the destination, it determines that this is exiting out of the Internet Zone, and Ethernet One is going to check the rules to figure out if there’s a matching rule. It’s going to find these matching rules. ays The Torres Zone is the DMZ destination zone, the source address distinction zone, and the destination interface. And then it’s going to basically translate that to the IP address source; the IP source port is not going to change because it’s a one-to-one translation. 150 destination port of origin The destination port is 80. Now the server on the Internet gets the response and sends it back because the service provider offers 1111 or 50 to a firewall.

Then the firewall would take that traffic and then look up its transition table. Look up the current session. Basically, it’s not going to look up the transition table because there’s an existing session. It’s going to look at the reverse flow. So the client-to-server flow will match up with the server-to-client flow, and then the firewall would rewrite the packet and then send it out to 170, 217, and 150, therefore completing the loop. So you have client to server and server to client communication. So what if you want to allow people from the outside to reach that server using the public IP address? Then all you need to do is check a checkbox here that says “bidirectional.” When bi-directional is set, it means that the firewall would be looking for traffic going to 1150 on any port, and then it’s going to match up the security rules to see what traffic is allowed, and then it’s going to send it out to the destination. One thing that we have to be clear on is the current rule of the security policy, which is as follows: When traffic comes into the firewall, it checks the security policy based on PreNet IP addresses, imports, IP imports, and the PostNAT Zone.

What does that mean? When we had that DMZ server and it was sending traffic from the DMZ to the outside and the internet, when you write a policy, it will be based on PreNetIP import and PreNetIP import pushnet zone. So in this case, the PreNet IP import is going to be 172, 17, 150, port, which doesn’t matter in our case. And then the destination is going to be PreNet, which is going to be the actual destination. So it’s not a big deal there. And then the zone will be DMZ to Internet; that’s understandable, but it’s not always that simple when dealing with traffic from the outside in. In that case, we allow bi-directional. So when traffic comes in from the internet to 11111150, how does the security policy need to be written? The security policy needs to be revised based on PreNet IP. So the rules will be PreNet IP, which says source IP. Because we’re making this available to the public, the destination IP will be PreNet 1111, 50, rather than one of 7217, 150. You can specify the destination port if you are restricting traffic and public access to just port 80, or you can specify port 84, 43, and so on. Then there’s the source IP and the destination IP. Now the source zone is going to be the postnatal. So, even after the Nat, the source zonepostnat is still coming from the Internet zone.

So that’s going to be the internet destination zone, which is going to be PostNet. PostNet is going to be egressing out of the DMZ interface. So that’s going to be the destination zone: DMG. So some people get tricked on that because they don’t understand this rule. So this is a critical rule to understand. For the exam, you’re going to be guaranteed to have multiple questions on those. So let’s take a look at the lab and T. So in the lab here, we have our DMG server, and we’re going to set up the port and the IP address. So I’m going to set it up here, the interface. So like I said here, I created ethernet zero and ethernet one, and ethernet one is for the DMZ, so I’m going to configure the DMZ port, the DMZ interface. So I’ll shut down if zero equals zero and shut down if configuration equals one. I’m going to configure it so that one should be 217, 150, and the netmask is 252-45250. Then I’ll configure my default route to the firewall, which is one 7217. So now you have route, default route, and default gateway 17.

So now that’s done. Now we’re going to go to the Palo Alto firewall. We’re going to specify the net policy. We basically created net dynamics from the source zone. It is located within the DMZ. So, in order for that net to function, it must be above the dynamic. So what would happen is that it would be a stoppage of play. So we’re going to create a static net for DMZ, and then the original packet is going to be DMZ. The “destination zone” is the Internet zone. Then there’s Ethernet one-on-one, and then we’re doing serviceany one-on-one. We’re going to look at that in a different lecture. Source address. We’re going to specify the source address and then translate it to be static IP 11 and 11, 11 and 50, and 11 and 50. So that’s that. And now we’re allowing traffic into the default zone as part of our policy, our security policy. So DMZ access to the outside is going to be allowed. So there shouldn’t be a problem. We’re going to go ahead and commit, commit.It’s complaining here that it shadows the DMZ rule, and it shadows because the net needs to be above. So I didn’t move it up. So that’s my fault. It’s notifying me that this is an issue. And if you notice here, my direction was not set. So I’m going to be testing static net renewal in both directions right now. So the only thing I can testify to is egress out to the Internet 161. We’re going to connect to the files so we can see the session. Let’s get it now at http://www.CNN.com/showsessions/all.html. So we see that session ID 103 is that session. And, if we look at the client-server flow, we can see that the source IP is 7217, 150, and the distinction IP is the CNN IP.

The source port is 55, 9, 7, 6, and the distinction port is 80. The server-to-client flow is the opposite direction, and the source port did not change because this is a static network. And we can see here that if the rule entries are set to deny by default, which I did, I set them to allow. And then it matches the static net DMZ. Then, on the Windows machine, I’ll proceed, and if I try to go to that 1111 and 50 address, it won’t work because there is none at 1111 and 50. So let’s take a look and see what the firewall sees here. see here The sessions 105, 200, and 202 are trying to reach 1150. If I do show session ID 105, You see here that it didn’t match any map policy at all. So that’s why the traffic is not making it to the DMG server. So you came on ingress interface ethernet one, and the destination is the interface ethernet one, because that’s where the network is working. So basically, the traffic is not getting translated. So if I go back to the firewall here and change that to bi-directional, now that server will be reachable from the internet, and we’ll see here if I do bi-directional, and then we’ll look at the security policy.

We need to create a security policy for that to specifically allow that traffic. We’ll set up the static net DMZ, and the source will be PreNet IP, which will be 11 11 11 50. That’s PreNet’s destination address, and PostNet’s destination zone is the DMZ because that traffic is making its way to the DMZ, and we’re going to leave it up just to serve HTTP. This is where we can test the HTTP service and then allow action. And then we should see that traffic matching this rule as soon as it’s still not doing anything. Okay, there you go. as soon as it was permitted The session was now identified. Now server to client and client to server are from the IP address of the Windows machine to the destination, and the destination port is 80. If we look here, it’s matching the rule for static net and the rule for staticnet DMZ, which is the security rule. And it corresponds to the Nat rule, which is the natural static net DMZ. So in the next lecture, we’ll look at other things that relate to static net.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!