Let me premise this post by first stating my current level of expertise. Mostly so any potential assistance can be explained at a level that I can easily grasp. I currently have a moderate understanding of most areas of networking and systems support. I had my CCNA many years ago, but have not had much related worked for 5+ years. My understand overall would probably be considered intermediate.
I am writing this post seeking guidance for my first exposure to Palo Alto equipment, as well as some other Cisco gear. I recently moved into a role where the previous (extremely talented) Network Engineer was transferred to another role. Unfortunately I will not be able to reach out to them for any assistance. As well, other technical resources in the department are limited to mostly non-network staff. Hopefully that can illustrate enough to allow enough understanding of the challenge I am up against.
So, I am trying to digest as much as I can about the PA and how they function. I'm currently faced with a few issues that I would like some clarification on. Most of which appear to be the core function of how the PA will process traffic. I'll type out a few examples of what I'm trying to resolve in a few areas of the infrastructure.
I'll try to keep zone, IPs, etc to arbitrary values.
Zone1 needs to talk to Zone2
Zone1 subnet = 192.168.10.0
Zone2 subnet = 192.168.20.0
Zone 1 and 2 are assigned to different sub interfaces
Zone 1 and 2 may or may not be members of different virtual routers
Regarding the Security policy configuration, I think I have a basic understanding of how it functions. If I need to allow access from Zone1 to Zone2, I would create a rule similar to this.
Source Zone: Zone1
Source Address: 192.168.10.0/24 or specific IP in that subnet
User: Any
HIP Profile: Any
Destination Zone: Zone2
Destination Address: 192.168.20.0 or specific IP in that subnet
Application: Any
Action: Allow
Now, would I need to create a reverse rule for 192.168.20.0 to talk to the 192.168.10.0 network? Or would outbound connections from 192.168.10.0 be considered stateful by the PA? I would assume traffic originating from the 192.168.20.0 would need it's own rule for this to work?
Now NAT, this has me confused. I can't seem to figured out the best way to establish this for internal traffic that would be crossing zones. Or more importantly, how this would be handled in a no NAT situation. If Zone1 needs to connect to Zone2 without NAT, I'm a bit lost.
Would this NAT rule be correct? What about reverse NAT?
Source Zone: Zone1 (interface Ethernet 1/1.100)
Destination Zone: Zone2 (interface Ethernet 1/1.200)
Destination interface: Ethernet 1/1.200
Source Address: 192.168.10.0/24 or specific IP in that subnet
Destination Address: 192.168.20.0/24 or specific IP in that subnet
Service: Any
Source Translation: None
Destination Translation: None
I will have some more questions regarding Policy Based Forwarding as well. However, I would like to get these first few questions figured out first.
Thanks in advance!
No comments:
Post a Comment