Configure the Linux Instances as Routers
Focus
Focus
Prisma Access

Configure the Linux Instances as Routers

Table of Contents

Configure the Linux Instances as Routers

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
To create the Linux instances as routers, complete the following task.
The following task has you configuring iptable changes. These iptable changes do not persist across a system reboot. Palo Alto Networks recommends that you have a method to save these iptable changes to make them persistent across a reboot (for example, install a Linux package).
  1. Configure the Router 1 instance in VPC 1 located in mainland China.
    You can also configure Router 1 as a VM-series next-generation firewall; these steps show a configuration using two Linux instances as routers.
    1. Open a secure CLI session with the router 1 instance by entering the ssh -i key-file root@ instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 1 instance.
    2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
      net.ipv4.ip_forward = 1
    3. Enter sysctl -p to load the new configuration.
    4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting router-1-private-ip-address with the private IP address of Router 1 and router-2-private-ip-address with the private IP address of Router 2.
      #!/bin/sh
      iptables -t filter -A FORWARD -i eth0 -j ACCEPT
      iptables -t filter -A FORWARD -o eth0 -j ACCEPT
      iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination router-2-private-ip-address
      iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination router-2-private-ip-address
      iptables -t nat -A POSTROUTING -d router-2-private-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-1-private-ip-address
      iptables -t nat -A POSTROUTING -d router-2-private-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-1-private-ip-address
    5. Save and close the file.
    6. Enter the chmod +x iptables-rule-sh command to make the file executable.
    7. Enter the ./iptables-rule.sh shell script to execute the iptables rule.
    8. Enter the iptables-save command to verify that the rules have been added.
  2. Configure the Router 2 instance in VPC 2 located outside of mainland China.
    1. Open a secure CLI session with the router 2 instance by entering the ssh -i key-file root@ instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 1 instance.
    2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
      net.ipv4.ip_forward = 1
    3. Enter sysctl -p to load the new configuration.
    4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting remote-network-service-ip-address with the Service IP Address of the Prisma Access remote network (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksService IP Address) and router-2-private-ip-address with the private IP address of Router 2.
      #!/bin/sh
      iptables -t filter -A FORWARD -i eth0 -j ACCEPT
      iptables -t filter -A FORWARD -o eth0 -j ACCEPT
      iptables -t nat -A PREROUTING -s router-2-private-ip-address/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination remote-network-service-ip-address
      iptables -t nat -A PREROUTING -s router-2-private-ip-address/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination remote-network-service-ip-address
      iptables -t nat -A POSTROUTING -d remote-network-service-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-2-private-ip-address
      iptables -t nat -A POSTROUTING -d remote-network-service-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-2-private-ip-address
    5. Save and close the file.
    6. Enter the chmod +x iptables-rule-sh command to make the file executable.
    7. Enter the ./iptables-rule.sh shell script to execute the iptables rule.
    8. Enter the iptables-save command to verify that the rules have been added.