Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Usman_Shaikh
Contributor

Domain objects in NAT policy

Hi Experts

 

We current have a manual hide NAT in place for our internet traffic that translates our internal addresses to a publicly routable address on the external interface (call it eth1) of the firewall when accessing ALL Non-RFC addresses

 We now have a requirement to set up NAT for Azure Microsoft peering that uses a different outgoing interface (eth2) on the same firewall that is on a different public subnet(Routing is already setup using BGP for MS prefixes to go out via eth2)

Since the destination is this case is dynamic Microsoft domains only, I was thinking along the lines of using Domain objects in order to avoid creating (and then manage) individual network objects that represent Microsoft IP prefixes.. However domain objects can only be used in access policy rules and not in NAT rules; therefore I am looking for best possible way to achieve this 

(Additionally I would like to use a pool of translated addresses and not having to use just the interface address due to limittion of 65k sessions)

Deployment: VSX on R80.10

Desired rulebase

RuleOriginal SourceOriginal Destination

Translated Source

(Example only)

Trasnlated Destination
Internet-AccessInternal-NetworksAny

1.1.1.1

(IP on eth1 subnet)

Original
Azure-AccessInternal-Networks<Microsoft Domains>

2.2.2.1 - 2.2.2.10

(IP range on eth2 subnet)

Original
0 Kudos
3 Replies
AlekseiShelepov
Advisor

I think you need just to configure automatic NAT to use hide behind gateway setting instead of both manual NAT rules.

0 Kudos
Usman_Shaikh
Contributor

Thanks for the reply..

Since manual NAT is checked first, this would always be matched... Also I would like to use range of addresses instead of one

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

If you are in position to upgrade to R80.20 then maybe you could use the new updateable objects, they have Azure as option

Updatable Objects in R80.20 

I haven't played with them yet and don't know if they would work in NAT.

Else dynamic objects should do the trick, you just need to script Azure IP updates Smiley Happy

Configuring Dynamic Objects 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events