One Internet line Multiple intefaces

Reply
L2 Linker

One Internet line Multiple intefaces

Hi Everyone
In my sinaro i have one internet line 10 MB and i have 5 zones configured in PA my question . and each zone for different purpose for example (IP SEC - Intenet -Email)

 

 

 

1-  how i can provide the internet to multiple zones with a multiple services

 

2- How many Public ip address reqiued for this sinaro 

 

L7 Applicator

Re: One Internet line Multiple intefaces


@MFayez wrote:
1-  how i can provide the internet to multiple zones with a multiple services

With a NAT rule where you configure your internet facing interface as translated source address


@MFayez wrote:

2- How many Public ip address reqiued for this sinaro 


It depends how many servers you need to make available and even more important what services do the offer. For example if you have the PA as VPN gateway, one emailserver and one webserver then you only need one public IP. In case you have multiple webservers and all expose their websites on port 80 and 443, then you either need one address for each of them or you place a reverse proxy in front of them and then you still only need one IP as the reverse proxy forwards the requests to the apropriate server based on the URL.

 

 

 

 

L2 Linker

Re: One Internet line Multiple intefaces

Hi 

 

Thanks for the answer 

 

If I have one PA device for this example this work ....

L4 Transporter

Re: One Internet line Multiple intefaces

Why do you need a zone for each service?

 

Rob

 

 

L7 Applicator

Re: One Internet line Multiple intefaces

I think you have the wrong idea of zones.  Zones are collection of interfaces/subnets that we write policies against.

 

In the policy we specify the specific services and ports not in the zones.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L7 Applicator

Re: One Internet line Multiple intefaces

@pulukas

What is wrong when @MFayez wants to separate the servers from each other with zones? Doed not necessary mean that he understood something wrong with the concept if zones. (Specially if you may be don't have a lot of servers but a firewall with enough capacity of zones)

L2 Linker

Re: One Internet line Multiple intefaces

Current setup - Copy.pngCurrent SetupNew - Copy.pngNew Setup

L2 Linker

Re: One Internet line Multiple intefaces

For the new setup 

 

how many public IP's do we need?

 

how will natting work for the interfaces?

L4 Transporter

Re: One Internet line Multiple intefaces

What "IP" service ports are being connected to by each application? if none of them overlap then 1 public IP will do.

 

You also don't need to use 4 physical connections to the router  ( you could tag VLANS into one single port )

 

Rob 

 

 

L7 Applicator

Re: One Internet line Multiple intefaces

Typically this is how you would be looking at your public facing services.

 

How many different public ip addresses do you need and for what services then add one for the PAN.  You request then from your ISP the appropriate subnet sized for that need, in your case looks like you will need either a /29 or /28.

 

This gets delivered on the ISP device facing your PAN.  You use one of these addresses on the PAN.

This is now your untrust zone.

 

You now organize your publicly facing resources into risk groups and create the muliple zones and private networks to support them or if the risk is similar they can all go into one DMZ zone.  These are the inside interface(s) of your PAN with zone assignments.

 

Now you create your nat rules pointing each ip address from the ISP scope at the matching internal address of the server providing the public service.  And write the security policies needed for the inbound and outbound communications for each server.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!