topic Re: L3 install issue - two internet lines of L3 mode installation on same networks in General Topics

L3 install issue - two internet lines of L3 mode installation on same networks

willstech — Thu, 31 Mar 2011 08:09:28 GMT

Hi all.

One of demo customer has two internet lines from same ISP and same network.

PA appliance runs on V-wire mode behind L3 office router at now.

But, customer wants to change network like attached file therefore, PA should be changed from Vwire to L3 router mode.

(Refer to attached network diagram.

Ultimately, Router will be changed to PA appliance, if the deal will get win.)

The important problem of new diagram is same networks of two internet lines.

i tried to install like below, but failed.

1. i tried to deploy L3 for each external line, but failed due to same network.

2. I tried to deploy L2 for each external line and, i was tie to VLAN for both of L2 interface.

VLAN interface has a role of L3 for external connection at this configuration. But it also failed due to network looping.

3. I tried to deploy aggregate for each external line, but failed due to aggregate link was not up.

it should be considered that NAT requirement for L3 deployment.

Regards,

Eugene

Re: L3 install issue - two internet lines of L3 mode installation on same networks

cityofkingsland — Thu, 31 Mar 2011 11:43:30 GMT

Eugene -

Have you configured the outside addresses for your nat tables yet?

I think you also might have the subnetting or the addresses wrong. For L3 connections with a /32 this is used for Point-to-point links, if you were to have a single link from the ISP. If this setup is currently working double check your subnets used.

/32 indicates PA-2020 (100.100.100.197/32) --> ISP (100.100.100.198/32)

We'll work on getting basic connectivity now:

GOTO: Objects tab and make sure you have the proper outside address in the ADDRESS menu. Make sure you are using the IP Netmask configuration with just a single IP address per config.

Policies > NAT -- make sure you have a rule saying trust to untrust you are doing source address translation. You will be doing Port and IP address translation and using the OUTSIDE address you just configured.

Under the Network tab > Interfaces do you have zones set, virtual router (internal and external interfaces need to be on the same router). Both untagged and both have a L3 interface type.

Under Network > Virtual Routers -- check your vitual router has a default route to the outside world.

Destination 0.0.0.0/0

Net hop type: IP

Next hop value: GATEWAY-PROVIDED BY YOUR ISP (100.100.100.100)

FOR doing the NAT to your web server at 10.1.1.2/32 you will do the following:

Object > ADDRESS - add your external address used for your server (100.100.100.197?)

Policies > NAT -- make a new rule.

Source zone: untrust

Destination zone: trust

Destination Address: choose the new 100.100.100.197? address you just created

service: http/https/whatever service you are using.

destination translation: translation address 10.1.1.2

translated port - can leave blank or use 80/443 if you want.

commit and be awesome.

let us know if any of this was helpful.

Re: L3 install issue - two internet lines of L3 mode installation on same networks

kbrazil — Thu, 31 Mar 2011 16:46:43 GMT

This is certainly an interesting design! I don't see two physical interfaces with IPs in the same subnet very often.

If the ISP cannot change your external addressing or you cannot use just a single outside interface, then you might try the following:

Create two Virtual Routers (You can have overlapping subnets using multiple Virtual Routers) and put each external interface into its own. Call them Default and Server. Both have a 0.0.0.0/0 route next hop of 100.100.100.100.
Create three L3 interfaces:
- Inside interface goes into Default Virtual Router, Inside zone
- .198 goes into Default Virtual Router, Public zone
- .197 goes into Server Virtual Router, Public zone
Create your NAT rules as you have defined in the diagram
- Make the Server rule static, Bidirectional
- Make the Client PC rule dynamic-ip-and-port
Create two PBF rules:
- Inbound PBF rule for the Server: from .197 interface, then send to Internal interface
- Outbound PBF rule for the Server: from 10.1.1.2/32 address, then send to .197 interface
Create an any any allow Security rule to test

Seems like this should work in theory. You are basically using normal routing for the bulk of the traffic and PBF to force the Server traffic over the other link.

Cheers,

Kelly

Re: L3 install issue - two internet lines of L3 mode installation on same networks

willstech — Thu, 07 Apr 2011 04:37:21 GMT

Hi Kelly.

thanks for your great advice but, i've been failed with your recommand way.

I will try to discuss to change network configuration with prospective customer.

Thanks again.

Regards,

Eugene.