Monday, June 17, 2019
By Charles Buege, Fuel User Group Member
Since my IT career hasn’t been a “traditional one,” and by that, I am referring to someone that wears one primary hat – developer, security officer, network engineer, etc., — I’ve always had the need to keep track of all of the tricks and tips that I’ve come across over the years. In that vein, what I’ve done is created my own documentation for different broad topics (like CentOS, Windows PowerShell, etc.) and then organized those documents into different sections covering how to do something, a quick reference guide to make my life easier. This way, I can come to a single document on a given topic, do a quick find on a certain keyword, and get the command or instructions for something I only do once every year or two.
I’ve done the same thing with my Palo Alto Networks firewall documentation. I’ve got different sections that cover different topics that allow me to have a single point of reference and I can find the information that I don’t use often — or, in the case of this article, a topic that the more times I look into it, a series of questions that allow me to complete the task easier.
In this article, I’m going to share my “Deploying a NAT Policy” section of questions and topics that I ask myself every time I do need to create a new NAT policy. This list of questions allows me to quickly gather my thoughts around what it is I’m needing to do with this policy, how I am going to tackle the usage and implementation of it and any other considerations that I need to take into account that will allow me to knock out this task quickly. These questions will also help in generating the least amount of pulling my hair out down the road because I forgot to ask myself the one little question that would have saved me hours of debugging later on.
4 Things to Ask When Deploying a NAT Policy
1. Do I need a DMZ?
2. Will I need to set up a U-Turn NAT?
3. Will I need a dedicated, fully legal IP address?
4. Will I need a port redirection?
Do I need a DMZ?
First, I ask myself if this server I’m setting up should be in a demilitarized zone (DMZ). In most cases, I always consider that the server should be in a DMZ, but there have been rare cases when it may be necessary to keep a resource in an ‘Internal’ or ‘Private’ zone. While I try to avoid those situations, when it comes to hardware restrictions, costs or just physical network limitations, it just sometimes becomes necessary. Additionally, I’ve even started setting up multiple DMZs when I want to take the servers and segregate them even further from each other.
Will I need to set up a U-Turn NAT? Second, I look at the possibility that the server I’m going to be setting up will need to be accessed from both inside the network and external to the network. If you can access the resource internally from one DNS entry and externally from another DNS entry, then there should be no issue accessing the item from their respective addresses.
On the other hand, I have also had times where I’ve needed to access the internal server VIA the external address. In order to do this, I’ve had to set up a ‘U-Turn NAT’ rule. By that, I mean a rule that will allow me to go out the network and then come right back in on the newly defined NAT rule. Instead of rehashing the steps to set this up, take a look at the instructions here.
Will I need a dedicated, fully legal IP address?
Third, I ask if the newly defined server is going to need its own dedicated IP address or if it will be sharing the IP address of the defined external interface, or one of the defined external interfaces if more than one is defined. Personally, I prefer to conserve external IP addresses assigned from my ISP as much as possible, but sometimes using one of the IP addresses just becomes necessary. This also holds true in the event that the port that you’re wanting to use is one that is already being used for another resource, like when you’re already using 80/TCP and 443/TCP for HTTP and HTTPS respectively for one web server and you want to set up a new web server.
Will I need a port redirection?
Speaking of ports, the last thing I always consider is whether I am going to need to do any port translation when I’m defining the rule. I’ve had plenty of cases where we’ve got an internal resource, for example, a midrange system like an IBM POWER8, where there are several Apache instances running on the same IP address and just running on different ports. Well, we don’t want our customers to have to remember to add ‘:8080’, ‘:18080’, or anything else, so we then use the port translation to take care of this for us. This way the user only has to enter the URL, go to the site via HTTP or HTTPS (normally HTTPS even if authentication isn’t required), and they are at the Apache instance without having to specify the port number.
Those are the four items that I always take into consideration when I’m working on developing a NAT policy. With these four questions answered, my moving forward to create the NAT policy becomes much easier and much of the policy will have written itself at this point.
More to Explore
Check out these Fuel blog posts for further reading: