PaloAlto/Firewall
[PaloAlto FW-#5]- SNAT Configuration
someday network expert
2024. 12. 3. 17:53
안녕하세요.
이번에는 30.1.1.1 PC가 외부에 인터넷이 가능 하도록 설정해 보겠습니다.
토폴로지는 아래와 같습니다.
1. INT_Router를 설정 하도록 하겠습니다.
| en conf t ho INT_Router int g0/0 ip add 192.168.10.92 255.255.255.0 no sh int g0/1 ip add 10.1.1.1 255.255.255.0 no sh int g0/2 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 192.168.10.253 |
2. Check INT_Router
| Router#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.10.92 YES manual up up GigabitEthernet0/1 10.1.1.1 YES manual up up GigabitEthernet0/2 20.1.1.1 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down Router# Router#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 192.168.10.253 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.10.253 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/1 L 10.1.1.1/32 is directly connected, GigabitEthernet0/1 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/2 L 20.1.1.1/32 is directly connected, GigabitEthernet0/2 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.10.0/24 is directly connected, GigabitEthernet0/0 L 192.168.10.92/32 is directly connected, GigabitEthernet0/0 Router# |
3. ping 8.8.8.8
| Router#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms Router# |
4. INT_Router에서 SNAT를 설정 합니다.
| int g0/0 ip nat outside int g0/1 ip nat inside int g0/2 ip nat inside access-list 1 permit any ip nat inside source list 1 interface g0/0 overload |
5. Test - Source를 변경해서 외부로 Ping를 하면 제대로 동작 합니다.
| INT_ROUTER#ping 8.8.8.8 source g0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/5 ms INT_ROUTER#ping 8.8.8.8 source g0/2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 20.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/7 ms INT_ROUTER# |
6. Router에서 NAT table test
| INT_ROUTER#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 192.168.10.92:3 10.1.1.1:3 8.8.8.8:3 8.8.8.8:3 icmp 192.168.10.92:4 20.1.1.1:4 8.8.8.8:4 8.8.8.8:4 INT_ROUTER# |
이제 PaloAlto에서 확인해보겠습니다.
1. Static route를 설정합니다.
2. Add를 클릭 합니다.
3. GW01를 설정합니다. Metric 10
4. GW02를 설정합니다.
5. NAT를 설정합니다.
6. 이번에는 SNAT02를 만듭니다.
7. Policy를 설정합니다
7. VPC 에서 Ping 8.8.8.8 시도 합니다.
| VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=55 time=30.465 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=55 time=6.784 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=55 time=7.433 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=55 time=6.824 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=55 time=6.570 ms VPCS> |
방화벽에서 Policy 그리고 NAT hit count 확인
지금까지 PaloAlto에서 SNAT에 대해서 알아보았습니다.
글을 읽어주셔서 감사합니다.