This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Home configuration PA-200 help

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Home configuration PA-200 help

Go to solution
Florin.Chirla
L1 Bithead

‎11-12-2015 03:43 PM

Hi guys,

 

Im new to this and im trying to install a pa-200 at home. I have managed to install it in a layer 2 configuration but i would like to install it now in a layer 3 configuration.

I have followed this article https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small...

but without success.

 

Equipment

-pa-200

- isp modem

- switch

 

 

 

These are the settings that i get on the isp modem.

modem.png

 

and here are some config pictures

 

interfaces

 

interfaces.png

 

 

vlan

vlan1.png

 

 

vlan2.png

 

zones

dhcp.png

 

virtual router

virtual router.png

 

vr2.png

 

dhcp

dhcp.png

 

Some suggestions / advice would be helpfull because im stuck.

 

tnx!

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to Florin.Chirla

‎11-13-2015 12:57 AM

Hi Florin

 

you'll probably want to set the untrust interface to 192.168.0.x/24, default gateway routing to 192.168.0.1,the trust interface to a completely different subnet, like 10.0.0.1/24, then configure NAT and enable a DHCP server on the trust interface

 

please take a look at these "getting started" articles we've created to help you get on your way:

 

I've unpacked my firewall, now what?

I've unpacked my firewall and did what you told me, now what?

I've unpacked my firewall and want to configure VLANs — subinterfaces

I’ve unpacked my firewall, but where are the logs?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎11-12-2015 04:27 PM

Hello,

Looks like your default route is pointing at interface Ethernet1/1. It should be pointing to the next hop gateway. I also see that the same IP for Ethernet1/1 is he same one for your ISP router. It may help us help you if you can tell us how the two devices are connected and how they are to operate. ISP router -> PAN -> teust network or PAN ->ISP router -> trust network.

 

Also make sure your policies are allowing the traffic, trust ->untrust. (this is not pictured) also do you have a NAT for the internal traffic to the untrust network?

 

As for the layer 2 interface and layer 3vlan. that part looks OK so far.

 

Regards,

Go to solution
gwesson
L7 Applicator

‎11-12-2015 04:50 PM

Your ISP modem needs to be set in bridge mode if you're going to put the firewall's external interface in L3. Both can't have the same external IP address. At least in the US, many common ISPs like Comcast and AT&T will not help you with configuration or connectivity issues if the modem is in bridge mode, so do that at your own risk (if your ISP even lets you do it).

 

The other option would be to set your external L3 interface to something on the modem's LAN interface, 192.168.0.1 (it's probably a /24, but that's not shown on your modem's screenshot). You'll probably want to separate your internal LAN interface with a different subnet as well, just to keep it very clear what is internal and what is external.

 

Hope this helps,

Greg

Go to solution
Florin.Chirla
L1 Bithead
In response to OtakarKlier

‎11-13-2015 12:09 AM - edited ‎11-13-2015 12:19 AM

@OtakarKlier,

 

first tnx for your answer.

So i have changed ethernet 1/1 to an intern adress (192.168.0.130)

and vlan to 192.168.0.254/25

the next hop on the router is now 192.168.0.1

 

2015-11-13 09_07_17-FLORIN-LPT - TeamViewer.png

 

 

the configuration is ISP modem - PA-200 - switch to trust network - trust network (computers)

 

 

here are the pictures for the policies and nat rule

2015-11-13 08_59_02-FLORIN-LPT - TeamViewer.png

 

 

2015-11-13 08_57_58-FLORIN-LPT - TeamViewer.png

 

and also a picture of a traceroute before the firewall setup

 

2015-11-13 08_15_54-FLORIN-LPT - TeamViewer.png

 

but its still not moving 🙂

0 Likes Likes

Go to solution
Florin.Chirla
L1 Bithead
In response to gwesson

‎11-13-2015 12:18 AM

@gwesson you are right 2 devices cant have the same ip adres 🙂 so i have changed it now to an intern adress 192.168.0.130

I cant set the modem to bridged ...

 

And the lan interface that i get from the modem is indeed a /24 

 

This config doesent want to work either

 

 

tnx again

 

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to Florin.Chirla

‎11-13-2015 12:57 AM

Hi Florin

 

you'll probably want to set the untrust interface to 192.168.0.x/24, default gateway routing to 192.168.0.1,the trust interface to a completely different subnet, like 10.0.0.1/24, then configure NAT and enable a DHCP server on the trust interface

 

please take a look at these "getting started" articles we've created to help you get on your way:

 

I've unpacked my firewall, now what?

I've unpacked my firewall and did what you told me, now what?

I've unpacked my firewall and want to configure VLANs — subinterfaces

I’ve unpacked my firewall, but where are the logs?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
Florin.Chirla
L1 Bithead
In response to reaper

‎11-14-2015 03:11 AM

It works

 

tnx!

Go to solution
mivaldi
L7 Applicator

‎04-13-2016 06:28 PM

The device you show as your modem is actually a layer3 device doing NAT.

If you want to hook up your firewall in Layer3 mode, then the Untrusted network for the firewall will be in the 192.168.0.0/24 network.

 

It is likely that the modem will give you an IP by DHCP in this network.

You could ignore DHCP and set your Ethernet1/1 with IP 192.168.0.2.

 

Add a default route in your VR making 0.0.0.0 point to 192.168.0.1

 

Your LAN needs to be a different subnet than 192.168.0.0/24, so make sure you configure a different one in your DHCP server.

 

If you ever want to make any servers visible in the outside, you will have to configure a double Destination NAT setup, forward first in your modem, or try configuring what they call a DMZ Host (all ports in UDP and TCP forwarded to a single host). The full forward should point to 192.168.0.2 (your firewall's untrust interface in Ethernet1/1). The second DNAT jump is configured in the firewall with a DNAT policy.

0 Likes Likes
  • 1 accepted solution
  • 5712 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks