Use Case: Configure Active/Active HA with Source DIPP NAT
Using Floating IP Addresses
This Layer 3 interface example uses source NAT
in Active/Active HA Mode. The Layer 2 switches create
broadcast domains to ensure users can reach everything north and south
of the firewalls.
PA-3050-1 has Device ID 0 and its HA peer,
PA-3050-2, has Device ID 1. In this use case, NAT translates the
source IP address and port number to the floating IP address configured
on the egress interface. Each host is configured with a default
gateway address, which is the floating IP address on Ethernet1/1
of each firewall. The configuration requires two source NAT rules,
one bound to each Device ID, although you configure both NAT rules
on a single firewall and they are synchronized to the peer firewall.
Configure the peer firewall, PA-3050-1 with the same
settings, except for the following changes:
Select Device ID 0.
Configure an HA virtual address of 10.1.1.100.
For Device 1 Priority, enter 255. For Device
0 Priority, enter 0.
In this example, Device
ID 0 has a lower priority value so a higher priority; therefore,
the firewall with Device ID 0 (PA-3050-1) owns the floating IP address
10.1.1.100.
Still on PA-3050-1, create the source NAT rule for Device
ID 0.
Select PoliciesNAT and click Add.
Enter a Name for the rule that
in this example identifies it as a source NAT rule for Device ID
0.
For NAT Type, select ipv4 (default).
On the Original Packet, for Source
Zone, select Any.
For Destination Zone, select
the zone you created for the external network.
Allow Destination Interface, Service, Source
Address, and Destination Address to
remain set to Any.
For the Translated Packet,
select Dynamic IP And Port for Translation
Type.
For Address Type, select Interface
Address, in which case the translated address will be
the IP address of the interface. Select an Interface (eth1/1
in this example) and an IP Address of the
floating IP address 10.1.1.100.
On the Active/Active HA Binding tab,
for Active/Active HA Binding, select 0 to
bind the NAT rule to Device ID 0.
Click OK.
Create the source NAT rule for Device ID 1.
Select PoliciesNAT and click Add.
Enter a Name for the policy
rule that in this example helps identify it as a source NAT rule
for Device ID 1.
For NAT Type, select ipv4 (default).
On the Original Packet, for Source
Zone, select Any. For Destination
Zone, select the zone you created for the external network.
Allow Destination Interface, Service, Source
Address, and Destination Address to
remain set to Any.
For the Translated Packet,
select Dynamic IP And Port for Translation
Type.
For Address Type, select Interface
Address, in which case the translated address will be
the IP address of the interface. Select an Interface (eth1/1
in this example) and an IP Address of the
floating IP address 10.1.1.101.
On the Active/Active HA Binding tab,
for the Active/Active HA Binding, select 1 to
bind the NAT rule to Device ID 1.