Configure the Linux Instances as Routers
Focus
Focus
Prisma Access

Configure the Linux Instances as Routers

Table of Contents

Configure the Linux Instances as Routers

Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
To create the Linux instances as routers, complete the following task.
The following task has you configuring iptable changes. These iptable changes do not persist across a system reboot. Palo Alto Networks recommends that you have a method to save these iptable changes to make them persistent across a reboot (for example, install a Linux package).
  1. Configure the Router 1 instance in VPC 1 located in mainland China.
    You can also configure Router 1 as a VM-series next-generation firewall; these steps show a configuration using two Linux instances as routers.
    1. Open a secure CLI session with the router 1 instance by entering the
      ssh -i
      key-file
      root@
      instance-ip
      , where
      key-file
      is the file location where you saved the key and
      instance-ip
      is the IP address of the router 1 instance.
    2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
      net.ipv4.ip_forward = 1
    3. Enter
      sysctl -p
      to load the new configuration.
    4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name
      iptables-rule.sh
      and adding the following lines to the file, substituting
      router-1-private-ip-address
      with the private IP address of Router 1 and
      router-2-private-ip-address
      with the private IP address of Router 2.
      #!/bin/sh
      iptables -t filter -A FORWARD -i eth0 -j ACCEPT
      iptables -t filter -A FORWARD -o eth0 -j ACCEPT
      iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination
      router-2-private-ip-address
      iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination
      router-2-private-ip-address
      iptables -t nat -A POSTROUTING -d
      router-2-private-ip-address
      /32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source
      router-1-private-ip-address
      iptables -t nat -A POSTROUTING -d
      router-2-private-ip-address
      /32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source
      router-1-private-ip-address
    5. Save and close the file.
    6. Enter the
      chmod +x iptables-rule-sh
      command to make the file executable.
    7. Enter the
      ./iptables-rule.sh
      shell script to execute the iptables rule.
    8. Enter the
      iptables-save
      command to verify that the rules have been added.
  2. Configure the Router 2 instance in VPC 2 located outside of mainland China.
    1. Open a secure CLI session with the router 2 instance by entering the
      ssh -i
      key-file
      root@
      instance-ip
      , where
      key-file
      is the file location where you saved the key and
      instance-ip
      is the IP address of the router 1 instance.
    2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
      net.ipv4.ip_forward = 1
    3. Enter
      sysctl -p
      to load the new configuration.
    4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name
      iptables-rule.sh
      and adding the following lines to the file, substituting
      remote-network-service-ip-address
      with the
      Service IP Address
      of the Prisma Access remote network (
      Panorama
      Cloud Services
      Status
      Network Details
      Remote Networks
      Service IP Address
      ) and
      router-2-private-ip-address
      with the private IP address of Router 2.
      #!/bin/sh
      iptables -t filter -A FORWARD -i eth0 -j ACCEPT
      iptables -t filter -A FORWARD -o eth0 -j ACCEPT
      iptables -t nat -A PREROUTING -s
      router-2-private-ip-address
      /32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination
      remote-network-service-ip-address
      iptables -t nat -A PREROUTING -s
      router-2-private-ip-address
      /32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination
      remote-network-service-ip-address
      iptables -t nat -A POSTROUTING -d
      remote-network-service-ip-address
      /32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source
      router-2-private-ip-address
      iptables -t nat -A POSTROUTING -d
      remote-network-service-ip-address
      /32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source
      router-2-private-ip-address
    5. Save and close the file.
    6. Enter the
      chmod +x iptables-rule-sh
      command to make the file executable.
    7. Enter the
      ./iptables-rule.sh
      shell script to execute the iptables rule.
    8. Enter the
      iptables-save
      command to verify that the rules have been added.

Recommended For You