https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17064#M12455 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have a pan 4020 that will be replacing multiple firewalls.&nbsp; The internet side of the firewall has a /25 network.&nbsp; I have a corporate network that has an external interface of x.x.x.2/25 in the Internet zone and a guest wireless network that has an external address of x.x.x.3/25 in the Internet zone. The corporate network has an internal interface on the LAN zone. The guest wireless network has a internal interface in the guestwireless zone.&nbsp; The firewall will act as the default router for hosts on the guest wireless network. My question is should I configure two virtual routers? By having two external interfaces on the same network with separate virtual routers cause overlap issues? I don't want the guest wireless network to have the ability to route other networks like the my DMZ.</P><P></P><P>Thanks</P><P>Bane</P></BODY></HTML> Tue, 16 Feb 2010 14:04:47 GMT bbraunschweig 2010-02-16T14:04:47Z https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17064#M12455 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have a pan 4020 that will be replacing multiple firewalls.&nbsp; The internet side of the firewall has a /25 network.&nbsp; I have a corporate network that has an external interface of x.x.x.2/25 in the Internet zone and a guest wireless network that has an external address of x.x.x.3/25 in the Internet zone. The corporate network has an internal interface on the LAN zone. The guest wireless network has a internal interface in the guestwireless zone.&nbsp; The firewall will act as the default router for hosts on the guest wireless network. My question is should I configure two virtual routers? By having two external interfaces on the same network with separate virtual routers cause overlap issues? I don't want the guest wireless network to have the ability to route other networks like the my DMZ.</P><P></P><P>Thanks</P><P>Bane</P></BODY></HTML> Tue, 16 Feb 2010 14:04:47 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17064#M12455 bbraunschweig 2010-02-16T14:04:47Z https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17065#M12456 <HTML><HEAD></HEAD><BODY><P> Hello,</P><P></P><P>You could create two virtual routers, as you indicated. They would not communicate with each other and they could be in the same subnet if necessary- as long as you do not configure the same IP address on each router.&nbsp; Another option would be to point both the corporate and wireless users to the same gateway and use your security policies to control the traffic between zones.&nbsp;&nbsp; You may want to open a case with Support and send a diagram of your network so that they can help with your configuration.</P></BODY></HTML> Wed, 17 Feb 2010 00:28:24 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17065#M12456 nrice 2010-02-17T00:28:24Z https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17066#M12457 <HTML><HEAD></HEAD><BODY><P>So the configuration that works best for me was to have both networks egress the same interface and use security zones and policy to control the traffic. One thing I did learn is that if you have a Cisco router on the same external segment then turn off proxy arp if you want to have two external interfaces.&nbsp; This prevents the router from putting incorrect arp entries in the arp table. </P><P></P><P>Bane</P></BODY></HTML> Wed, 17 Feb 2010 16:28:17 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17066#M12457 bbraunschweig 2010-02-17T16:28:17Z https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17067#M12458 <HTML><HEAD></HEAD><BODY><P>I think the simplest way and what we did was created a seperate network on another interface and used the same internet gateway for guest access. And only allowed the guest network to have controlled internet access and no access to anything else through Security Policies etc.</P></BODY></HTML> Wed, 21 Sep 2011 14:47:43 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-external-interfaces/m-p/17067#M12458 defjam 2011-09-21T14:47:43Z