topic Re: One Internet line Multiple intefaces in General Topics

One Internet line Multiple intefaces

MFayez — Mon, 03 Sep 2018 21:40:10 GMT

Hi Everyone
In my sinaro i have one internet line 10 MB and i have 5 zones configured in PA my question . and each zone for different purpose for example (IP SEC - Intenet -Email)

1- how i can provide the internet to multiple zones with a multiple services

2- How many Public ip address reqiued for this sinaro

Re: One Internet line Multiple intefaces

Remo — Tue, 04 Sep 2018 01:03:19 GMT

@MFayez wrote:
1- how i can provide the internet to multiple zones with a multiple services

With a NAT rule where you configure your internet facing interface as translated source address

@MFayez wrote:
2- How many Public ip address reqiued for this sinaro

It depends how many servers you need to make available and even more important what services do the offer. For example if you have the PA as VPN gateway, one emailserver and one webserver then you only need one public IP. In case you have multiple webservers and all expose their websites on port 80 and 443, then you either need one address for each of them or you place a reverse proxy in front of them and then you still only need one IP as the reverse proxy forwards the requests to the apropriate server based on the URL.

Re: One Internet line Multiple intefaces

MFayez — Tue, 04 Sep 2018 05:23:15 GMT

Thanks for the answer

If I have one PA device for this example this work ....

Re: One Internet line Multiple intefaces

RobinClayton — Tue, 04 Sep 2018 08:04:27 GMT

Why do you need a zone for each service?

Rob

Re: One Internet line Multiple intefaces

pulukas — Tue, 04 Sep 2018 09:39:59 GMT

I think you have the wrong idea of zones. Zones are collection of interfaces/subnets that we write policies against.

In the policy we specify the specific services and ports not in the zones.

Re: One Internet line Multiple intefaces

Remo — Tue, 04 Sep 2018 10:07:48 GMT

@pulukas

What is wrong when @MFayez wants to separate the servers from each other with zones? Doed not necessary mean that he understood something wrong with the concept if zones. (Specially if you may be don't have a lot of servers but a firewall with enough capacity of zones)

Re: One Internet line Multiple intefaces

MFayez — Tue, 04 Sep 2018 10:27:28 GMT

Current SetupNew Setup

Re: One Internet line Multiple intefaces

MFayez — Tue, 04 Sep 2018 10:32:39 GMT

For the new setup

how many public IP's do we need?

how will natting work for the interfaces?

Re: One Internet line Multiple intefaces

RobinClayton — Tue, 04 Sep 2018 11:29:01 GMT

What "IP" service ports are being connected to by each application? if none of them overlap then 1 public IP will do.

You also don't need to use 4 physical connections to the router ( you could tag VLANS into one single port )

Rob

Re: One Internet line Multiple intefaces

pulukas — Tue, 04 Sep 2018 22:15:10 GMT

Typically this is how you would be looking at your public facing services.

How many different public ip addresses do you need and for what services then add one for the PAN. You request then from your ISP the appropriate subnet sized for that need, in your case looks like you will need either a /29 or /28.

This gets delivered on the ISP device facing your PAN. You use one of these addresses on the PAN.

This is now your untrust zone.

You now organize your publicly facing resources into risk groups and create the muliple zones and private networks to support them or if the risk is similar they can all go into one DMZ zone. These are the inside interface(s) of your PAN with zone assignments.

Now you create your nat rules pointing each ip address from the ISP scope at the matching internal address of the server providing the public service. And write the security policies needed for the inbound and outbound communications for each server.

Re: One Internet line Multiple intefaces

MFayez — Tue, 18 Jun 2019 08:07:40 GMT

this case still is not clear for me i will explain current setup

1- 4 router is connected phiscaly to PA and each router provide defrent services (Email , Internet , VPN)

2- PBF are configer for pass the traffice and NAT

3-One defult routur are configer for untrust zone for all services

Our reqiuerment :

1- Shift to 4 router to 1 Fiber line

@pulukas @RobinClayton @Remo

Re: One Internet line Multiple intefaces

RobinClayton — Tue, 18 Jun 2019 08:21:35 GMT

So -One router.

You no longer need PBF as you only have one route out.

You have 2x incomming SMTP so you need an IP for each on service port [25 & 587]

Everything else does not overlap in terms of service port so can use either of the IP's.

Re: One Internet line Multiple intefaces

MFayez — Tue, 18 Jun 2019 08:32:41 GMT

Okay ...

What about interface is required to create subinterface because i will user on physical line

Re: One Internet line Multiple intefaces

RobinClayton — Tue, 18 Jun 2019 08:44:41 GMT

No sub interface is necessary.

Have one interface external with the IP you want to be the primary and nat rules..

Then just have an inbound NAT for the second IP. (Untrust->Untrust)

Rob

Re: One Internet line Multiple intefaces

MFayez — Wed, 19 Jun 2019 05:59:01 GMT

Thanks @RobinClayton for your advise

I will got from ISP 6 public ip address
Should added the IP to interface !!

and it can be assigned to Zones