Apply Policies to a subnet

cancel
Showing results for 
Search instead for 
Did you mean: 

Apply Policies to a subnet

L1 Bithead

Hi,

New here so I hope this is right spot for this question.

I have a router from an ISP that is giving a public /28 subnet out its lan port. (Nat off)

I can't easily replace the device for a couple of reasons.

I wish to run the traffic from this through my PA so I can apply policies to the other devices I will place on this subnet.

A Virtual Wire would work but wouldn't give me any layer 3 control - as I understand it.

I tried a ingress and egress interface in a test virtual router but this can't work because the subnets overlap.

Any ideas?

Thanks

Peter

1 ACCEPTED SOLUTION

Accepted Solutions

Thanks for the replies.

Looks like Nat. Policy Forwarding Rules are probaby a good idea anyway. It least it not production yet so I can play.

I don't anticipate any real issue just though there may have been a simple more elegant solution I hadn't seen.

Peter

View solution in original post

6 REPLIES 6

L3 Networker

You could put all the devices behind the PAN and NAT them through it.  Put all the public IPs on the firewall and use rules for incoming traffic.

Definately not the only option but it would be a good way of controlling all the traffic.  This would require:

* Security Policies

* NAT Policies

* Internal & External Zones

* Private IP subnet (DHCP or no)

Internet <--> Vendor Router <--> PAN <--> Servers/hardware

 

Brian

HI thanks for the reply.

Didn't really want to go down the NAT path as some of the devices will use IPSEC.

Some don't of course and those are the ones you really need to monitor.

Agreed though NAT would make the job simple.

Peter

@msgroup,

If done properly there isn't any reason why you wouldn't be able to setup the DHCP to hand out the available public IPs, and then setup a couple layer2 interfaces on the PA to actually gain all of the functionality of the firewall. NAT would really be the best solution however, and if you setup a NAT policy properly I've never really had an issue with IPSec tunnels. 

I believe when using NAT and IPSEC Tunnels we needed to do PBFs (Policy Based Forward).  That may have been our environment as not everything was in the Virtual Routers default routes (you could probably put everything there?).

 

It is probably possible to use the firewall as the gateway for the rest of the public IPs (creating rules that way) and just hand them out but I think the return route will be a problem as the ISP gateway is in the same subnet and will want to send return traffic directly to the devices. BPry is probably right about using firewall interfaces (or a switch off of one of the interfaces) and passing the traffic through the firewall and setting up Security Policies based on the IPs.  I have not played with this however.

 

Brian

Thanks for the replies.

Looks like Nat. Policy Forwarding Rules are probaby a good idea anyway. It least it not production yet so I can play.

I don't anticipate any real issue just though there may have been a simple more elegant solution I hadn't seen.

Peter

View solution in original post

NAT has worked well for us.  You may not need to use PBFs if you put everything in the VS default routes.  Its the Security Policies and the NAT Policies that will be required.

 

Good luck with the project.

Brian

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!