topic Re: Home configuration PA-200 help in General Topics

Home configuration PA-200 help

Florin.Chirla — Thu, 12 Nov 2015 23:43:33 GMT

Hi guys,

Im new to this and im trying to install a pa-200 at home. I have managed to install it in a layer 2 configuration but i would like to install it now in a layer 3 configuration.

I have followed this article https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small-Office/ta-p/61838

but without success.

Equipment

-pa-200

- isp modem

- switch

These are the settings that i get on the isp modem.

and here are some config pictures

interfaces

vlan

zones

virtual router

dhcp

Some suggestions / advice would be helpfull because im stuck.

tnx!

Re: Home configuration PA-200 help

OtakarKlier — Fri, 13 Nov 2015 00:27:46 GMT

Hello,

Looks like your default route is pointing at interface Ethernet1/1. It should be pointing to the next hop gateway. I also see that the same IP for Ethernet1/1 is he same one for your ISP router. It may help us help you if you can tell us how the two devices are connected and how they are to operate. ISP router -> PAN -> teust network or PAN ->ISP router -> trust network.

Also make sure your policies are allowing the traffic, trust ->untrust. (this is not pictured) also do you have a NAT for the internal traffic to the untrust network?

As for the layer 2 interface and layer 3vlan. that part looks OK so far.

Regards,

Re: Home configuration PA-200 help

gwesson — Fri, 13 Nov 2015 00:50:20 GMT

Your ISP modem needs to be set in bridge mode if you're going to put the firewall's external interface in L3. Both can't have the same external IP address. At least in the US, many common ISPs like Comcast and AT&T will not help you with configuration or connectivity issues if the modem is in bridge mode, so do that at your own risk (if your ISP even lets you do it).

The other option would be to set your external L3 interface to something on the modem's LAN interface, 192.168.0.1 (it's probably a /24, but that's not shown on your modem's screenshot). You'll probably want to separate your internal LAN interface with a different subnet as well, just to keep it very clear what is internal and what is external.

Hope this helps,

Greg

Re: Home configuration PA-200 help

Florin.Chirla — Fri, 13 Nov 2015 08:19:25 GMT

@OtakarKlier,

first tnx for your answer.

So i have changed ethernet 1/1 to an intern adress (192.168.0.130)

and vlan to 192.168.0.254/25

the next hop on the router is now 192.168.0.1

the configuration is ISP modem - PA-200 - switch to trust network - trust network (computers)

here are the pictures for the policies and nat rule

and also a picture of a traceroute before the firewall setup

but its still not moving 🙂

Re: Home configuration PA-200 help

Florin.Chirla — Fri, 13 Nov 2015 08:18:01 GMT

@gwesson you are right 2 devices cant have the same ip adres 🙂 so i have changed it now to an intern adress 192.168.0.130

I cant set the modem to bridged ...

And the lan interface that i get from the modem is indeed a /24

This config doesent want to work either

tnx again

Re: Home configuration PA-200 help

reaper — Fri, 13 Nov 2015 08:57:03 GMT

Hi Florin

you'll probably want to set the untrust interface to 192.168.0.x/24, default gateway routing to 192.168.0.1,the trust interface to a completely different subnet, like 10.0.0.1/24, then configure NAT and enable a DHCP server on the trust interface

please take a look at these "getting started" articles we've created to help you get on your way:

I've unpacked my firewall, now what?

I've unpacked my firewall and did what you told me, now what?

I've unpacked my firewall and want to configure VLANs — subinterfaces

I’ve unpacked my firewall, but where are the logs?

Re: Home configuration PA-200 help

Florin.Chirla — Sat, 14 Nov 2015 11:11:08 GMT

It works

tnx!

Re: Home configuration PA-200 help

mivaldi — Thu, 14 Apr 2016 01:28:58 GMT

The device you show as your modem is actually a layer3 device doing NAT.

If you want to hook up your firewall in Layer3 mode, then the Untrusted network for the firewall will be in the 192.168.0.0/24 network.

It is likely that the modem will give you an IP by DHCP in this network.

You could ignore DHCP and set your Ethernet1/1 with IP 192.168.0.2.

Add a default route in your VR making 0.0.0.0 point to 192.168.0.1

Your LAN needs to be a different subnet than 192.168.0.0/24, so make sure you configure a different one in your DHCP server.

If you ever want to make any servers visible in the outside, you will have to configure a double Destination NAT setup, forward first in your modem, or try configuring what they call a DMZ Host (all ports in UDP and TCP forwarded to a single host). The full forward should point to 192.168.0.2 (your firewall's untrust interface in Ethernet1/1). The second DNAT jump is configured in the firewall with a DNAT policy.