Prisma Access
Configure the Linux Instances as Routers
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure the Linux Instances as Routers
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To create the Linux instances as routers, complete the following task.
The following task has you configuring iptable changes. These iptable changes do
not persist across a system reboot. Palo Alto Networks recommends that you have
a method to save these iptable changes to make them persistent across a reboot
(for example, install a Linux package).
- Configure the Router 1 instance in VPC 1 located in mainland China.You can also configure Router 1 as a VM-series next-generation firewall; these steps show a configuration using two Linux instances as routers.
- Open a secure CLI session with the router 1 instance by entering the ssh -i key-file root@ instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 1 instance.Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:net.ipv4.ip_forward = 1Enter sysctl -p to load the new configuration.Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting router-1-private-ip-address with the private IP address of Router 1 and router-2-private-ip-address with the private IP address of Router 2.#!/bin/shiptables -t filter -A FORWARD -i eth0 -j ACCEPTiptables -t filter -A FORWARD -o eth0 -j ACCEPTiptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination router-2-private-ip-addressiptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination router-2-private-ip-addressiptables -t nat -A POSTROUTING -d router-2-private-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-1-private-ip-addressiptables -t nat -A POSTROUTING -d router-2-private-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-1-private-ip-addressSave and close the file.Enter the chmod +x iptables-rule-sh command to make the file executable.Enter the ./iptables-rule.sh shell script to execute the iptables rule.Enter the iptables-save command to verify that the rules have been added.Configure the Router 2 instance in VPC 2 located outside of mainland China.
- Open a secure CLI session with the router 2 instance by entering the ssh -i key-file root@ instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 1 instance.Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:net.ipv4.ip_forward = 1Enter sysctl -p to load the new configuration.Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting remote-network-service-ip-address with the Service IP Address of the Prisma Access remote network (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksService IP Address) and router-2-private-ip-address with the private IP address of Router 2.#!/bin/shiptables -t filter -A FORWARD -i eth0 -j ACCEPTiptables -t filter -A FORWARD -o eth0 -j ACCEPTiptables -t nat -A PREROUTING -s router-2-private-ip-address/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination remote-network-service-ip-addressiptables -t nat -A PREROUTING -s router-2-private-ip-address/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination remote-network-service-ip-addressiptables -t nat -A POSTROUTING -d remote-network-service-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-2-private-ip-addressiptables -t nat -A POSTROUTING -d remote-network-service-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-2-private-ip-addressSave and close the file.Enter the chmod +x iptables-rule-sh command to make the file executable.Enter the ./iptables-rule.sh shell script to execute the iptables rule.Enter the iptables-save command to verify that the rules have been added.