How to make access for another router thru PA-500

Reply
MyhreNDS
Not applicable

How to make access for another router thru PA-500

I need to setup router from vendor with official ip adress because it cannot use nat. It will support a service from Miele called "Miele Logic".

Without setting this directly on modem wiith swith I want to sett this on interface at PA.

I have not figured out what kind of design is best practis to use?


Accepted Solutions
MyhreNDS
Not applicable

I give up

Convincing vendor to change IP in order to set up NAT.

View solution in original post


All Replies
pulukas
L7 Applicator

I'm not sure I follow the issue.  But I think you are saying you need the Miele device to be on the public subnet but also behind the Palo Alto firewall.

For this application you could use a v-wire deployment.  One side of the v-wire goes to the public untrust connection the other to the Miele device.  Since v-wire has no layer 3 profile the device is both on the public subnet and also behind the firewall.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
MyhreNDS
Not applicable

I considered both virtual wire and Layer 2 but this requires two interfaces?

But have not been able to assign this to the Layer 3 untrusted interface.

I have configured a lot of Palo Alto but never with this settings.

The Palo Alto have been replaced from an SonicWALL firewall and this device was configured in transparent mode.

pulukas
L7 Applicator

v-wire is separate from any layer 3 usage on the device.  So the two interfaces in a v-wire act like an ethernet cable, one side connects to the untrusted device the other the protected device or network switch.  Then anything that passes through the v-wire must have a rule.

This pair of interfaces will not participate in any layer 3 configuration on the Palo Alto.  This is a "virtual wire" patch cable.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
MyhreNDS
Not applicable

For the internet connection I have only the untrusted interface for internet.

There is only one interface on modem. And I dont want to set up switch either.

MyhreNDS
Not applicable

I give up

Convincing vendor to change IP in order to set up NAT.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!