How to make access for another router thru PA-500

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to make access for another router thru PA-500

Not applicable

I need to setup router from vendor with official ip adress because it cannot use nat. It will support a service from Miele called "Miele Logic".

Without setting this directly on modem wiith swith I want to sett this on interface at PA.

I have not figured out what kind of design is best practis to use?

1 accepted solution

Accepted Solutions

Not applicable

I give up

Convincing vendor to change IP in order to set up NAT.

View solution in original post

5 REPLIES 5

L7 Applicator

I'm not sure I follow the issue.  But I think you are saying you need the Miele device to be on the public subnet but also behind the Palo Alto firewall.

For this application you could use a v-wire deployment.  One side of the v-wire goes to the public untrust connection the other to the Miele device.  Since v-wire has no layer 3 profile the device is both on the public subnet and also behind the firewall.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I considered both virtual wire and Layer 2 but this requires two interfaces?

But have not been able to assign this to the Layer 3 untrusted interface.

I have configured a lot of Palo Alto but never with this settings.

The Palo Alto have been replaced from an SonicWALL firewall and this device was configured in transparent mode.

v-wire is separate from any layer 3 usage on the device.  So the two interfaces in a v-wire act like an ethernet cable, one side connects to the untrusted device the other the protected device or network switch.  Then anything that passes through the v-wire must have a rule.

This pair of interfaces will not participate in any layer 3 configuration on the Palo Alto.  This is a "virtual wire" patch cable.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

For the internet connection I have only the untrusted interface for internet.

There is only one interface on modem. And I dont want to set up switch either.

Not applicable

I give up

Convincing vendor to change IP in order to set up NAT.

  • 1 accepted solution
  • 2930 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!