topic Public IP's and DMZ in General Topics

Public IP's and DMZ

mgross — Tue, 16 Oct 2012 18:07:45 GMT

I am currently setting up a DMZ using a class C address range provided by my ISP. So far I have an untagged interface built connected to a switch and a VR built.

Example:

I have the subnet 10.10.10.0/24

I set interface G1/2 with address 10.10.10.1/24

I have a VR with a route 10.10.10.0/24 destination int G1/2 next hop address 10.10.10.1

I have a laptop with an address 10.10.10.10 I do not want this to NAT but use the address I assigned to it out of the class C range provided by my ISP.

So far I can ping my .1 gateway but haven't been able to get any farther.

Re: Public IP's and DMZ

mgross — Tue, 16 Oct 2012 20:07:21 GMT

After further research I have yet to resolve the issue but was wondering if I would have to build any NAT policy to accommodate this.

Re: Public IP's and DMZ

bvandivier — Wed, 17 Oct 2012 00:44:09 GMT

Since interface ethernet1/2 is directly connected to the 10.10.10.0/24 subnet with an address of 10.10.10.1 specifying a static route for this network in your virtual router is superfluous and therefore should not be necessary.

You will need to configure NAT to allow the 10.10.10.10 host outbound access to public IP space. The following tech note covers PAN-OS NAT examples in detail.

https://live.paloaltonetworks.com/docs/DOC-1517

Re: Public IP's and DMZ

mikand — Wed, 17 Oct 2012 09:25:43 GMT

What you normally do (at least by my experience) is that you setup whats called a linknet between you and your ISP.

This linknet is normally a /30 network such as 10.0.0.1 is ISP and you are 10.0.0.2.

The ISP will then route 10.10.10.0/24 with nexthop 10.0.0.2 (your equipment).

While you have a default route (0.0.0.0/0) pointing towards ISP at 10.0.0.1.

This gives that your WAN interface will have 10.0.0.2/30 as ip adress, your (public) DMZ interface will have 10.10.10.1/24 (this will be the defgw for the DMZ-servers) and your (private) LAN interface will have 192.168.0.1/24 (or whatever floats your boat 😉 )

If this 10.10.10.0/24 is actually a public ip range then you wont need any nating in your PA for traffic going WAN <-> DMZ.

But you will need SNAT (Source NAT) for traffic going LAN -> WAN (mot not necessary for LAN <-> DMZ).

If you for some reason needs to allow WAN -> LAN you do this with preferly portforwarding using DNAT (Destination NAT) - depending on if its a single port you need to allow or a full ip address.

A workaround for above in case your ISP refuse to setup a linknet is to use the PA in VWIRE mode.

Setup eth1 as VWIRE towards ISP and eth2 VWIRE towards DMZ.

Then setup eth3 as regular L3 interface towards ISP and eth4 as L3 towards LAN.

This way the PA will "switch" traffic between ISP and DMZ while on eth3 it will be a single host on the same network (to SNAT the LAN-clients).