Carve public Subnet without involving Vendor

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Carve public Subnet without involving Vendor

L3 Networker

Anyway to accomplish following without modifying routes at the router?

 

I have a subnet 1.1.1.0/24

 

1.1.1.1/24 PAN ETH1 Need to route 1.1.1.50 from ETH1 -> ETH3 as it sits behind ETH3. I need ETH1 to reply back to router when it says arp who has for 1.1.1.50

7 REPLIES 7

L7 Applicator

Just to be sure, you're saying: 

server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router

And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?

 

If that's correct, there are two ways I can think of offhand:

1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/prox...

 

2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virt...


@gwesson wrote:

Just to be sure, you're saying: 

server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router

And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?

 

If that's correct, there are two ways I can think of offhand:

1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/prox...

 

2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virt...


 

(1.1.1.50) [e1/4]FW 2[e1/7] 10.10.10.11/24 <----> [e1/3]PAN[e1/7] 10.10.10.10/24 <---> [e1/3]PAN[e1/1] <---> Router

 

Two Firewalls PAN and FW2

If i do a destination NAT on 1.1.1.50 to internal IP would the packet even make its way to ETH3? I cannot modify any IPs behind e1/3

 

 

L7 Applicator

It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces.  This would not be possible to commit on the PAN.

 

The nat options above are to use an internal subnet on the server side and then nat/proxy arp to connect the ip.

 

Your other option if you need to keep that public ip on the server is to put two physical interfaces into that external facing subnet and zone with one for the upstream connection and the other for the server. 

 

For this you would move the layer 3 address to a vlan interface and the configure two layer 2 interfaces associated with that vlan.

 

Here then the server is directly attached to that subnet and your policy controls are then untrust to untrust policies since the server will also be in that same zone.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

@pulukas in this setup would the server send arp-reply to arp request from the circut?

 

 

Yes, in that configuration the server and the external interface will be in the same vlan and broadcast domain so they will respond to arp requests normally.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center


@pulukas wrote:

It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces.  This would not be possible to commit on the PAN.


 

@pulukas-  I don't know if this is @junior_r's best solution, but in the scenario you describe, wouldn't that be possible if you had the L3 interfaces configured as part of two seperate vrouters, with routing between?

 

Just to be clear for anyone else reading this - I'm not at all saying this is a great idea.  Even if it commits, the complexity would make this only a solution for a very few, niche setups.

You can't route the same subnet between two virtual routers. 

Both will see the subnet as local.

 

So if you have two interfaces with the same subnet in different VR you would be using NAT to get them to communicate.  And at that point you can go ahead and do the same thing back in the main VR to start with.

 

Typically I see this request for a server with the same public address as the untrust of the firewall from voice or other applications that don't want any nat applied to their sessions.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 6244 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!