https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254602#M72255 <P>&nbsp;</P><P>We need to have a 1 server behind the firewall with public ip address.</P><P>We do not want private ip on the server.</P><P>&nbsp;</P><P>Firewall -&nbsp; outside zone</P><P>Server is behind the DMZ_Zone.</P><P>&nbsp;</P><P>Currently&nbsp; DMZ has sub interface with private ip address</P><P>&nbsp;</P><P>so when traffic comes from internet it will hit he firewall and hit should redirect that to DMZ zone where server has public ip address.</P><P>&nbsp;</P><P>For NAT rule i can do source and destination zone&nbsp; as outside&nbsp;</P><P>Source address any and Dest has server public ip address and no natting.</P><P>&nbsp;</P><P>For security rule same ips but dest will be dmz zone.</P><P>&nbsp;</P><P>Will this setup work?</P><P>&nbsp;</P> Fri, 22 Mar 2019 00:05:34 GMT MP18 2019-03-22T00:05:34Z https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254602#M72255 <P>&nbsp;</P><P>We need to have a 1 server behind the firewall with public ip address.</P><P>We do not want private ip on the server.</P><P>&nbsp;</P><P>Firewall -&nbsp; outside zone</P><P>Server is behind the DMZ_Zone.</P><P>&nbsp;</P><P>Currently&nbsp; DMZ has sub interface with private ip address</P><P>&nbsp;</P><P>so when traffic comes from internet it will hit he firewall and hit should redirect that to DMZ zone where server has public ip address.</P><P>&nbsp;</P><P>For NAT rule i can do source and destination zone&nbsp; as outside&nbsp;</P><P>Source address any and Dest has server public ip address and no natting.</P><P>&nbsp;</P><P>For security rule same ips but dest will be dmz zone.</P><P>&nbsp;</P><P>Will this setup work?</P><P>&nbsp;</P> Fri, 22 Mar 2019 00:05:34 GMT https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254602#M72255 MP18 2019-03-22T00:05:34Z https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254631#M72263 <P>No</P> <P>&nbsp;</P> <P>You first need to consider the firewall as a router&nbsp;</P> <P>It knows that x.x.x.x/x is on the untrust interface and it knows that a.a.a.a/a is on the DMZ interface</P> <P>If you add a server with ip x.x.x.z to the a.a.a.a/24 network, the firewall will not be able to route to it as it's routing table will demand the packets be sent to the x.x.x.x/x interface</P> <P>&nbsp;</P> <P>Your server will also not be able to communicate with any of the other servers in the DMZ, because they too know to send x.x.x.x/x to the firewall instead of an adjacent device (default route and broadcast domain)</P> <P>&nbsp;</P> <P>There are 2 solutions that I can think of (well, 3, but NAT is not an option)</P> <P>&nbsp;</P> <P>1. put the server behind a vwire that is connected to the outside router. That way your server is 'on the outside' but still protected by the vwire</P> <P>2. create layer2 interfaces and add the server to the same vlan as the untrust interface, make sure to enable intrazone security profiles</P> <P>3. NAT <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Fri, 22 Mar 2019 09:54:44 GMT https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254631#M72263 reaper 2019-03-22T09:54:44Z https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254689#M72278 <P>4.&nbsp; Put this server in it's own vlan/subnet.&nbsp; Either use a separate physical interface for it or add a subinterface on the same port as your current DMZ zone.&nbsp; Attach this interface to the applicable vRouter and add static or dynamic routing.</P> Fri, 22 Mar 2019 15:11:13 GMT https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254689#M72278 jeremy.larsen 2019-03-22T15:11:13Z https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254854#M72336 <P>MAny Thanks Reaper for answering the Question.</P><P>&nbsp;</P><P>Best Regards</P><P>Mike</P> Sun, 24 Mar 2019 22:44:35 GMT https://live.paloaltonetworks.com/t5/general-topics/server-with-public-ip-behind-the-firewall-without-natting/m-p/254854#M72336 MP18 2019-03-24T22:44:35Z