Use Case: Configure Active/Active HA with Source DIPP NAT
Using Floating IP Addresses
This Layer 3 interface example uses source NAT
in Active/Active HA Mode. The Layer 2 switches create
broadcast domains to ensure users can reach everything north and
south of the firewalls.
PA-3050-1 has Device ID 0 and its
HA peer, PA-3050-2, has Device ID 1. In this use case, NAT translates
the source IP address and port number to the floating IP address
configured on the egress interface. Each host is configured with
a default gateway address, which is the floating IP address on Ethernet1/1
of each firewall. The configuration requires two source NAT rules,
one bound to each Device ID, although you configure both NAT rules
on a single firewall and they are synchronized to the peer firewall.
Configure the peer firewall, PA-3050-1 with the same
settings, except for the following changes:
Select Device ID 0.
Configure an HA virtual address of 10.1.1.100.
For Device 1 Priority, enter 255. For Device
0 Priority, enter 0.
In this example, Device
ID 0 has a lower priority value so a higher priority; therefore,
the firewall with Device ID 0 (PA-3050-1) owns the floating IP address 10.1.1.100.
Still on PA-3050-1, create the source NAT rule for Device
ID 0.
Select PoliciesNAT and click Add.
Enter a Name for the rule that
in this example identifies it as a source NAT rule for Device ID
0.
For NAT Type, select ipv4 (default).
On the Original Packet, for Source
Zone, select Any.
For Destination Zone, select
the zone you created for the external network.
Allow Destination Interface, Service, Source
Address, and Destination Address to
remain set to Any.
For the Translated Packet,
select Dynamic IP And Port for Translation Type.
For Address Type, select Interface
Address, in which case the translated address will be
the IP address of the interface. Select an Interface (eth1/1
in this example) and an IP Address of the
floating IP address 10.1.1.100.
On the Active/Active HA Binding tab, for Active/Active
HA Binding, select 0 to bind
the NAT rule to Device ID 0.
Click OK.
Create the source NAT rule for Device ID 1.
Select PoliciesNAT and click Add.
Enter a Name for the policy
rule that in this example helps identify it as a source NAT rule
for Device ID 1.
For NAT Type, select ipv4 (default).
On the Original Packet, for Source
Zone, select Any. For Destination
Zone, select the zone you created for the external network.
Allow Destination Interface, Service, Source
Address, and Destination Address to
remain set to Any.
For the Translated Packet,
select Dynamic IP And Port for Translation Type.
For Address Type, select Interface
Address, in which case the translated address will be
the IP address of the interface. Select an Interface (eth1/1
in this example) and an IP Address of the
floating IP address 10.1.1.101.
On the Active/Active HA Binding tab, for
the Active/Active HA Binding, select 1 to
bind the NAT rule to Device ID 1.