Getting Started — Layer 3, NAT, and DHCP

by on ‎12-07-2015 07:20 AM - edited on ‎10-05-2016 06:37 PM by (8,794 Views)

 

In the previous installment of the Getting Started video tutorials, I showed you how to set up the management interface, prepare licences, download updates, and create a first security policy on your brand new firewall. In this installment, I'm going to show you how to configure Layer 3 interfaces, make sure outgoing connections are set for Network Address Translation, or NAT, and help you create a DHCP server so clients are automatically assigned an IP address on your local network.

 

If you haven't seen the first tutorial video, please take a moment and check it out and then continue with this video.

 

 

Let's take a look at what we have and what we want to accomplish:

 

  • Router IP: 198.51.100.1
  • Firewall IP: 198.51.100.2
  • Firewall internal IP: 10.0.0.1
  • Client DHCP range: 10.0.0.50-10.0.0.250

 

Our first step will be to prepare the zones. As we've already created a little security policy last time, we can simply repurpose the existing zones and set them to Layer 3. Let's go to the network tab, and in the zones, open the properties of the trust and untrust zones, and change their Type to Layer 3.

 

Now we can do the same with the interfaces: open the properties to ethernet1/1, and change its Type to Layer 3.

You'll see that 'Virtual Wire' has now been replaced by 'Virtual Router.' Let's set that to 'Default' for now. I'll explain a bit more about this after we get there. Set the zone to 'Untrust' and move on to the IPv4 tab.

 

Here's where we configure this interface's IP address and subnet. I'll go ahead and put my external IP address in here, with a /28 subnet.

 

Click OK and move on to interface ethernet1/2, set the Virtual Router to default, the zone to Trust, move to IPv4 and set the interface to IP address 10.0.0.1/24.

 

Next, we're going to the Advanced tab and create a new management profile.

 

A management profile allows certain services to be available on a physical interface, including management functionality in case you require this. But for now, we're only going to enable 'ping' so we can ping the interface from the local network and test connectivity. Click OK.

 

We'll now go to the Virtual Router or VR. It's called a virtual router because we can configure multiple VRs that can each hold their own routing table without interfering with each other. Configuring multiple routers with separate routing tables allows you to segregate the interfaces by attaching them to different virtual routers.

 

We'll stick to the default one for now, open the properties, and go to the static routes.

 

You'll need to add a default route that allows outbound traffic to be routed to the upstream router. Click Add to create a new route, set a description, and set the destination to 0.0.0.0/0.

 

The interface will be ethernet1/1 as this is the egress interface out to the internet. The next hop will be your router's IP address—in my case, this will be 198.51.100.1.

 

Next, we'll set up DHCP. Click Add and set the interface to etherner1/2, which is the local network. We'll enable 'ping IP when allocating new IP,' as this will send out an ICMP echo request before assigning an IP address from the IP pool. The initial ping prevents overlapping IPs in the network in case a static IP address has already been assigned to another workstation. We'll set the timeout to 24 hours and create an IP pool for 10.0.0.50 to .250. As you can see, you can easily create reservations here in case you'd like to reserve a specific IP for a specific host, like a management laptop.

 

In the Advanced tab, you can configure the default gateway your clients will get, in my case that's the firewalls 10.0.0.12, subnet mask 255.255.255.0. I do not have an internal DNS server, so I will set 4.2.2.2 and 8.8.8.8 but if you do have a Microsoft or bind DNS set up internally, put its IP address here, together with any WINS or other service IP addresses you might require. If needed, you can also add some custom DHCP options.

 

Next, we're going to prepare Network Address Translation.

 

You'll first need to create a new rule. You'll need to give it a name, and under the 'Original Packet' tab, set the source zone, destination zone, and destination interface. In the Translated packet we're going to set the source translation to dynamic IP and Port, as we don't necessarily need one-to-one translation and we are going to set the address type to simply use interface ethernet1/1 and its IP for the translation. If you want, you could set a different IP here, if your ISP has provided you with a larger subnet on your internet connection.

 

One last thing stands in our way before we can finish up—we still need to remove the previosuly configured virtual wire—simply highlight the default-vwire object and click Delete.

 

Now go ahead and commit this configuration.

 

On the clients, you'll want to go ahead and clear the arp cache, as they were previously connecting to a different routing device, and refresh the DHCP lease.

 

I hope you enjoyed this video. Please feel free to leave a comment and check out our other episodes in the getting started series.

 

Ignite 2019
Ask Questions Get Answers Join the Live Community
Contributors