11-02-2018 03:34 PM
Anyway to accomplish following without modifying routes at the router?
I have a subnet 1.1.1.0/24
1.1.1.1/24 PAN ETH1 Need to route 1.1.1.50 from ETH1 -> ETH3 as it sits behind ETH3. I need ETH1 to reply back to router when it says arp who has for 1.1.1.50
11-02-2018 03:55 PM
Just to be sure, you're saying:
server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router
And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?
If that's correct, there are two ways I can think of offhand:
1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here:
2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments
11-02-2018 04:16 PM
@gwesson wrote:Just to be sure, you're saying:
server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> RouterAnd you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?
If that's correct, there are two ways I can think of offhand:
1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here:
2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments
(1.1.1.50) [e1/4]FW 2[e1/7] 10.10.10.11/24 <----> [e1/3]PAN[e1/7] 10.10.10.10/24 <---> [e1/3]PAN[e1/1] <---> Router
Two Firewalls PAN and FW2
If i do a destination NAT on 1.1.1.50 to internal IP would the packet even make its way to ETH3? I cannot modify any IPs behind e1/3
11-03-2018 09:03 AM
It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces. This would not be possible to commit on the PAN.
The nat options above are to use an internal subnet on the server side and then nat/proxy arp to connect the ip.
Your other option if you need to keep that public ip on the server is to put two physical interfaces into that external facing subnet and zone with one for the upstream connection and the other for the server.
For this you would move the layer 3 address to a vlan interface and the configure two layer 2 interfaces associated with that vlan.
Here then the server is directly attached to that subnet and your policy controls are then untrust to untrust policies since the server will also be in that same zone.
11-04-2018 05:14 AM
Yes, in that configuration the server and the external interface will be in the same vlan and broadcast domain so they will respond to arp requests normally.
11-07-2018 06:18 AM
@pulukas wrote:It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces. This would not be possible to commit on the PAN.
@pulukas- I don't know if this is @junior_r's best solution, but in the scenario you describe, wouldn't that be possible if you had the L3 interfaces configured as part of two seperate vrouters, with routing between?
Just to be clear for anyone else reading this - I'm not at all saying this is a great idea. Even if it commits, the complexity would make this only a solution for a very few, niche setups.
11-12-2018 05:18 PM
You can't route the same subnet between two virtual routers.
Both will see the subnet as local.
So if you have two interfaces with the same subnet in different VR you would be using NAT to get them to communicate. And at that point you can go ahead and do the same thing back in the main VR to start with.
Typically I see this request for a server with the same public address as the untrust of the firewall from voice or other applications that don't want any nat applied to their sessions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
