- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-12-2017 04:01 PM
Hi,
New here so I hope this is right spot for this question.
I have a router from an ISP that is giving a public /28 subnet out its lan port. (Nat off)
I can't easily replace the device for a couple of reasons.
I wish to run the traffic from this through my PA so I can apply policies to the other devices I will place on this subnet.
A Virtual Wire would work but wouldn't give me any layer 3 control - as I understand it.
I tried a ingress and egress interface in a test virtual router but this can't work because the subnets overlap.
Any ideas?
Thanks
Peter
12-13-2017 01:33 PM
Thanks for the replies.
Looks like Nat. Policy Forwarding Rules are probaby a good idea anyway. It least it not production yet so I can play.
I don't anticipate any real issue just though there may have been a simple more elegant solution I hadn't seen.
Peter
12-12-2017 04:24 PM
You could put all the devices behind the PAN and NAT them through it. Put all the public IPs on the firewall and use rules for incoming traffic.
Definately not the only option but it would be a good way of controlling all the traffic. This would require:
* Security Policies
* NAT Policies
* Internal & External Zones
* Private IP subnet (DHCP or no)
Internet <--> Vendor Router <--> PAN <--> Servers/hardware
Brian
12-12-2017 04:35 PM
HI thanks for the reply.
Didn't really want to go down the NAT path as some of the devices will use IPSEC.
Some don't of course and those are the ones you really need to monitor.
Agreed though NAT would make the job simple.
Peter
12-13-2017 07:46 AM
If done properly there isn't any reason why you wouldn't be able to setup the DHCP to hand out the available public IPs, and then setup a couple layer2 interfaces on the PA to actually gain all of the functionality of the firewall. NAT would really be the best solution however, and if you setup a NAT policy properly I've never really had an issue with IPSec tunnels.
12-13-2017 08:57 AM
I believe when using NAT and IPSEC Tunnels we needed to do PBFs (Policy Based Forward). That may have been our environment as not everything was in the Virtual Routers default routes (you could probably put everything there?).
It is probably possible to use the firewall as the gateway for the rest of the public IPs (creating rules that way) and just hand them out but I think the return route will be a problem as the ISP gateway is in the same subnet and will want to send return traffic directly to the devices. BPry is probably right about using firewall interfaces (or a switch off of one of the interfaces) and passing the traffic through the firewall and setting up Security Policies based on the IPs. I have not played with this however.
Brian
12-13-2017 01:33 PM
Thanks for the replies.
Looks like Nat. Policy Forwarding Rules are probaby a good idea anyway. It least it not production yet so I can play.
I don't anticipate any real issue just though there may have been a simple more elegant solution I hadn't seen.
Peter
12-13-2017 04:52 PM
NAT has worked well for us. You may not need to use PBFs if you put everything in the VS default routes. Its the Security Policies and the NAT Policies that will be required.
Good luck with the project.
Brian
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!