topic Re: PA 200 Connected to 4G Router in General Topics

PA 200 Connected to 4G Router

Adam42 — Wed, 15 Jan 2020 08:09:13 GMT

Hi Folks,

We currently have a primary direct internet from the ISP to the Palo Alto PA-200 configured with LSVPN .

As we plan to have a secondary Internet, we want to connect the Palo Alto PA-200 with 4G Router using LSVPN as well.

The problem is the public IP address is assigned to the 4G router and we'll connect it via LAN With PA-200 as the diagram illustrates below

How can Configure the PA-200 to implement the LSVPN as a client

Cordially

Re: PA 200 Connected to 4G Router

OtakarKlier — Wed, 15 Jan 2020 15:13:58 GMT

Hello,

Does the 4G router have the ability to just pass all traffic without performing any other tasks or to be a transparent device so the PAN could have the public IP? Meaning the PA-200 should be able to make the request to the core of the LSVPN and make the connection. Is this not working as designed?

Please advise,

Re: PA 200 Connected to 4G Router

Remo — Wed, 15 Jan 2020 19:25:46 GMT

Hi @Adam42

Why is it a problem if the public IP is on the 4G router? Btw. are you sure your 4G modem has a public IP? The way I used these modems so far, they always got a private IP ln the external interface and on provider side ther is carrier grade NAT for connections towards the internet.

Anyway, for GP LSVPN you don't need a public IP on your spoke firewall. Only the hub will need a public IP to receive the connections.

Re: PA 200 Connected to 4G Router

Adam42 — Thu, 16 Jan 2020 08:04:06 GMT

Hi @OtakarKlier

Which configuration should I do to make the router works transparent in order to carry the public IP address to the firewall? If I configure the DMZ IP on the router by assigning the IP address of the interface of the firewall PA200 will make it transparent?

Which configuration should I put on the firewall (spoke)

Thank you

Re: PA 200 Connected to 4G Router

OtakarKlier — Thu, 16 Jan 2020 15:23:12 GMT

Hello,

Back in the day when i was doing this, there was a setting in the 4g router that allowed it to be transparent and it would pass the public IP to the attached device/firewall. While I dont know what or if there is that in the device you are using, you might want to reach out to the vendor and check. However like @Remo pointed out. it might not be required.

Regards,

Re: PA 200 Connected to 4G Router

Adam42 — Sun, 19 Jan 2020 08:54:54 GMT

Hi @OtakarKlier

Thank you for your answer, Well i'm using Huawei AR160 series .

The Hub administrators are requesting the public ip and its Gatway but the 4G providers has just offered One Public IP /32 With NAT .

Thank you

Re: PA 200 Connected to 4G Router

Berite — Fri, 04 Sep 2020 20:44:54 GMT

Hi there,

You just need to NAT inbound ports from the 4G router to the Palo IP. Or simpler if you just set a DMZ host on the 4G router to send all traffic to the PA.

The ISP however will need to map a public address and inbound ports as the carriers usually only allocate you a private address. I've just bought a international SIM card that does this. They basically assign me a static public address their end, and it NATs through their cell provider VPN to the private IP on my router. I need to arrange with them what ports they pass inbound (which is good as it filters out port scans etc but bad as if I want to add a new service I have to ask them)

Ports for LSVPN are tcp/443 and udp/4501

That router then NAT's all inbound to the ip on the palo alto. The palo alto is configured with a private address but it doesnt matter as long as your public IP is used for LSVPN inbound.

If this is a remote office then you don't need any of the inbound NAT's setup as its a one way connection.