Though this is a simple concept, I believe it needs a note because it is bit confusing which IP to use in the Firewall Policy. This is the method used in PaloAlto and other perimeter firewalls if you want to give access to an internal server via a public IP to the internet users.
Imagine 10.1.1.10 and 10.1.1.11 are public IPs and 10.1.1.10 is the ip address of the physical interface.
Users from internet should be able to ping 10.1.1.11 which represents the DMZ server 100.2.2.10
1st let's make sure DMZ SVR can access internet with a NAT IP 10.1.1.11
Go to Polices > NAT and configure the NAT rule should be like the following,
(click on the image to view in full size)
This is a simple Static (one-to-one) NAT rule with a bi-directional config option.
DMZ SVR IP (Source IP) 100.2.2.10 is translated to the Public IP.
This NAT rule is just enough for the server to access internet as 10.1.1.11, of course there should be a normal allowed Security Policy from DMZ to OUTSIDE with basic routing.
Now let's give access to 100.2.2.10 server from OUTSIDE via 10.1.1.11 by a Security policy,
Go to Policies > Security
Point to remember is that the destination address of the Security Policy here is the public IP.
Keep in mind,Security Policy Hits first , then NAT Policy & then Routing..
No comments:
Post a Comment