We have a tenant who is going to terminate their internet service and begin to use our connection. Their internet traffic will be directed to our Palo Alto, which is our internet gateway. The tenant also uses a Cisco Ironport Web Security device and insists on its continued use vs. using the services on the Palo Alto. My thought was to put the Ironport on our DMZ and via PBF, send all traffic from the tenant subnet to the Ironport. The Ironport would then return the filtered traffic to the PA and out to the internet.
Anyone familiar with the Ironport/ have any ideas of whether or not this setup is feasible?
Well that Ironport device (even if they are best known for mailfiltering) should be just like any SPI/NGFW around.
That is in your case I would create a dedicated zone and attach that to a dedicated interface.
This interface would then have a linknet created (for example 10.0.0.1/30 or whatever RFC1918 addressrange you prefer) and then in the VROUTER setup a static nexthop for the range which the tenant will use out of your range.
Internet <-> PA <-> Ironport
where the link between PA and Ironport have 10.0.0.1/30 on your end and 10.0.0.2/30 on the Ironport end (as an example).
In your PA VROUTER you setup x.x.x.x/xx NEXTHOP 10.0.0.2.
The Ironport will then setup a default route towards 10.0.0.1 as nexthop.
There are of course other options around demending on your taste :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!