Communication between 2 network segment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Communication between 2 network segment

L1 Bithead

Hello,

I have a PA-220 firewall. There is a normal switch connected on ethernet 1/4. The switch is connected to the equipments of 2 network segments, 10.1.240. * and 192.168.5. * . 

These equipments need to communication now. But I can't change their IP. Can I do this through the port settings of the firewall?

My idea is to add a new sub port to ethernet 1/4 and set it to 10.1.240.*. Then I will add a NAT to connect ethernet 1/4 and the sub port. Is it right?The pictures are the current settings of the firewall.

I have just started to learn the settings of network structure. There are too many concepts in it. 😥 Do you have any recommended learning materials?

Thanks

1.png2.png3.png

12 REPLIES 12

L4 Transporter

Hi @xiaolin01 

 

So basically what you need is to add another network segment to the firewall, but that network segment is using ethernet1/4 that now has an untagged VLAN assigned.

You need to first see how the switch is configured for 10.1.240. * and 192.168.5. *. Does each subnet have a 802.1q VLAN-ID assigned to it?

Assuming both have VLAN-IDs you need to add a sub-interface on ethernet1/4 and configure 10.1.240.x/yy on it along with its VLAN-ID.

Next if 192.168.5.* has a VLAN-ID you will need to create another sub interface for it and move the configuration there because once you create a sub-interface - the 'parent' ethernet1/4 will be the untagged VLAN - and this all depends on the switch configuration.

Next configure a trunk port on the switch and move the connection between sw<->fw to trunk (trunk ports can carry multiple VLANs).

Lastly - verify rulebase allows this zone communication.

I will start without NAT at the moment to see if basic communication is working.

 

Shai

Cyber Elite
Cyber Elite

Hello,

You will not need a NAT. The above information is correct. I just posted a similar config (it does not use sub interfaces, but the concepts are the same).

https://live.paloaltonetworks.com/t5/general-topics/cannot-reach-server-at-dmz-via-nat/td-p/455022

 

Regards,

Thank you.@ShaiW 

The switch is a unmanaged switch. So I think I need to make it in the firewall.

Neither of 10.1.240. * and 192.168.5. * have a VLAN-ID.

Do I need to make 2 sub interface?

e.g. ethernet1/4.1 and ethernet1/4.2, configure them and than make a trunk between e1/4.1 and e1/4.2. Or can I make a trunk between e1/4 and e1/4.1?

 

 

Cyber Elite
Cyber Elite

Hello,

If you want to use vlan id's then go with your first option, ethernet1/4.1 and ethernet1/4.2. Make them all layer2 interfaces and put the IP on the VLAN in the firewall. It give you more flexibility (my opinion).

 

Regards,

Thank you. I will try.

I set it up and changed e1/4 to layer2.

But my interface is different from yours. I don't know how to set it in static routing (picture 5).

1122334455

Cyber Elite
Cyber Elite

Hello,

For the Next-Hop, use the vlan instead of an IP Address.

 

Regards,

😅Sorry, I have made the same config as your post. But it doesn't work. When I set my IP to 10.1.240.*, I can not ping 10.1.240.1 and 192.168.5.*   When I use 192.168.5.* the situation is the same.

 

InterfaceInterfaceInterface -VlanInterface -VlanZonesZonesVlanVlanRoutesRoutesPoliciesPolicies

 

Cyber Elite
Cyber Elite

Hello,

The switch port you plugged PA port 1/4 into, is it setup as a trunk port? Also in order to ping a PAN interface, your management profile must allow for ping.

Regards,

Hello,

😥Sorry, I forgot to setup trunk port. The switch is old and unmanaged, it's a layer2 switch. I can't set it.

Can I make trunk port on firewall? I didn't find where to set it. Or should I buy a new layer3 switch?

 

Regards,

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!