Hey folks! I'm facing a frustrating issue with my cloud network setup using a Palo Alto VM-Series firewall in AWS. I need some advice on getting outbound internet access working properly through NAT. Here's a bit about my setup:
I've got a VPC set up with the CIDR of 10.50.0.0/16 and the following subnets: trusted (10.50.1.0/24), internal (10.50.2.0/24), untrust (10.50.5.0/24), and management (10.50.6.0/24).
The Palo Alto interfaces include:
- ethernet1/1 (internal zone: 10.50.2.252)
- ethernet1/4 (untrust zone: 10.50.5.216, attached to an Elastic IP)
- ethernet1/5 (trusted zone: 10.50.1.252)
I've set up a NAT policy from the internal, DMZ, and guest zones to the untrust zone, using dynamic IP and port source NAT to the interface IP of 10.50.5.216. My default route goes through the Palo Alto to 10.50.5.1 (the VPC router).
The issue is that when I try to ping 8.8.8.8 from an internal EC2 instance, the NAT works as I see active sessions, but the reply doesn't come back. Strangely, the Palo Alto can ping 8.8.8.8 without any issues.
I've tried verifying my NAT policy, confirmed routing and security rules, and even deployed a NAT Gateway, but I still can't get it to work. I suspect the replies aren't routing back correctly to the translated source IP because AWS might only route them if they originate from a NAT Gateway or an Elastic Load Balancer.
Has anyone managed to use SNAT with a Palo Alto firewall in AWS without going through a NAT Gateway? Would love to hear your experiences!
1 Answer
It seems like there might be a misunderstanding about routing and EIPs in your situation. If your untrust subnet (10.50.5.0/24) has its own routing table, make sure it points to an internet gateway. Having a route that sends traffic to 0.0.0.0/0 through an IGW is crucial for getting replies back from the internet. If that's correctly set, the setup should allow the replies to come through.
Yes, it does have a route to 0.0.0.0/0 going to the IGW.