Setting up and troubleshooting Palo Alto U-Turn NAT with multiple Virtual Router Instances

At times you may encounter a need to have U-Turn NAT in place on your firewall to allow internal devices to access resources you host (Such as a web-server) in the same Datacenter, by using their public address. Palo Alto has a great KB article here on the subject.  Setting this up is a significant amount of work when used in a environment that is designed for multi-tenancy through the use of Virtual Routers on the PA Firewall. Below are some of my challenges and solutions.

Consider the following network design-

 

In this setup we have a Customer VM (10.5.1.18) that needs to access a resource we host in the same data-center on it’s public address (200.231.83.250). This resource is in a different VR, and also in a different security zone. The following NAT policy is installed to implement this routing,

Normally, this would work fine. However, in this setup we end up with the traffic going the wrong direction. First, let’s look at the packet dump.

The flow ends up looking like this –

 

We can see that NAT translation is working, But the packet ends up at 10.5.99.5, another router in the same VR instance that our source machine is in. This is because of our routing table for VR 1 contains the network that we are looking for (Overlapping subnets are in place between customers) –

The problem here is the fact that our translated NAT address (10.1.100.15) lies in a different virtual router (VR2). The resolution for this is to insert a PBR rule to force the egress traffic out the proper interface. In this instance, our PBF rule looks like this –

After doing this, we still need to insert routes into both Virtual Routers in the firewall to make the networks aware of each other. This can present a security risk, but we are able to lock it down with rules. The routes will look like this —

Even after doing this, you might still not have traffic passing. That’s because we need a security policy in place to allow this traffic. Looking at the following packet capture –

A great way to troubleshoot this is to use of debug packet-filters. First, set your match criteria –

“debug dataplane packet-diag set filter index 1 match source 10.5.1.18 destination 200.231.83.250”

Then, run some traffic and watch your counters.

“show counter global filter severity drop-packet-filter yes delta yes”

Using the above, we can see the reason for the drops now

We are going to need a security policy to allow this traffic to pass. To determine the exact policy needed, I like to setup a “Allow-Any” rule, determine the traffic we need to allow, then implement the rule. The final rule to allow this traffic looks like this –

To review, the following is needed when you setup U-Turn NAT on a Palo Alto Firewall, with the two host devices between in different virtual routers.

  • Nat Policy in place to translate traffic destined for the external IP of the internal device, to the internal IP.
  • Routes on each VR Instance to expose the devices to each other.
  • PBF Rule to send the traffic out the correct interfaces on the return.
  • Security Policies to allow this traffic to pass.

 

Leave a Reply

Your email address will not be published. Required fields are marked *