Installing a router behind PA-500 with Public IP

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Installing a router behind PA-500 with Public IP

OK, I have read many discussions about this, but never found the answer.  We were provided a /28 range of IP addresses from our ISP.  We currently plug the ISP connection straight into port 3 on the PA.  I would now like to add a Juniper SRX behind the PA, with a public IP so our VPN routers in the field can connect.  Seems straight forward.

In the past I have seen similar configurations on the Cisco 2811 routers, one public WAN interface, then other ports were setup so you could put a public IP on another device on the inside have access.

How would I do this on a PA?

Highlighted
L3 Networker

If you would like for the juniper appliance to have a external IP address you will need to burn two additional ports on the palo alto. the two newly configured ports will be set up in vwire (bridge mode). you will also need a switch in front of the palo alto as well. one port will plug into an upstream switch were the public interface of the palo alto will also plug in and also the cable from the isp will need to plug into this switch. the other end of the vwire will plug into the juniper.

you can also go another route with having the juniper a private ip address on the internal side of the palo alto and create a static nat on the palo to forward anything to that public ip to the juniper.

https://live.paloaltonetworks.com/docs/DOC-1517

Highlighted
L4 Transporter

I would recommend to setup the SRX in a DMZ of the Palo Alto and use a private IP address for the SRX and NAT it to public address on the PA-500. This way you just need to use one additional interface on the PA-500 and with this setup you can control the traffic to/from the SRX on your PA-500 (encrypted and decrypted traffic).

rgds Roland

Highlighted
L2 Linker

Let me give both these ideas a try.  I like the idea of having it behind the PA, may be a bit more complex in design, but then I can monitor all the traffic utilization without checking multiple devices sinces I do not have access to the provider's router.

Highlighted
L4 Transporter

The VWIRE solution already mentioned is the first thing that comes to mind for me as well.  The Paloalto has a Virtual router configured with Layer 3 interfaces and IP addresses. The router sits in parallel with the Paloalto VR. But on the router connects to the Internet through the VWIRE, allowing inspection of the traffic destined to the router.

Steve Krall

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!