topic Re: Layer 2 Virtual Wire and Layer 3 in on PAN in General Topics

Layer 2 Virtual Wire and Layer 3 in on PAN

palomed — Sat, 24 Oct 2020 08:02:46 GMT

The network I inherited has a Cisco ASA and a PAN 3220 operating as

a virtual wire in serial. The NATs and most of the ACLs are at the ASA

while the PAN takes care of other protections such as geo blocking,

correlation alerting and so on.

{Internet}--[Edge RTR]--[ASA]--[PAN]--[L3 Switch]

I was hoping to put in another pair of PANs into our cage. But

unfortunately the racks are literally full so I can't use them.

I have lots of unused Ethernet ports on the PAN 3220.

Would it be possible to run the PAN as both its L2 vWire

and present an L3 interace to the edge and internally?

The thought would be to put rules for the L3 at the

bottom of the rule set just before the deny any.

And these would have zones L3-Outside, L3-Inside

to disambiguate. If I could even just use Global

Protect that would be a good step forward. But

the idea would be to gradually try to setup a

web server at the L3 interface.

Is this foolhardy? Any guide exist to do something

like this? Thanks for your thoughts on how to approach

it would be appreciated.

Re: Layer 2 Virtual Wire and Layer 3 in on PAN

BPry — Sat, 24 Oct 2020 16:39:05 GMT

@palomed,

There's no reason why this wouldn't work; you can absolutely have Layer3 interfaces running alongside your Virtual Wire without any issues. The nice part of this is you actually don't even have to worry about routing changes or anything bringing down the virtual wire when you're working to bring in the Layer3 interfaces, because it's just a simple virtual wire configuration. You could then also configure a GlobalProtect Portal and Gateway without issue through the Layer3 interface.

I'd follow your current plan and just get everything working to start off with, and move to slowly just get rid of the ASA and dropping the virtual wire configuration all together. The ASA isn't doing anything the PA-3220 isn't capable of doing, so unless something is broken off at the ASA level I don't see any reason to keep it or add an additional pair of PANs. Just use the PA-3220s that you already have to their full potential and you could drop the ASA all-together without having to add any additional hardware.