Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

L3 install issue - two internet lines of L3 mode installation on same networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

L3 install issue - two internet lines of L3 mode installation on same networks

L3 Networker

Hi all.

One of demo customer has two internet lines from same ISP and same network.

PA appliance runs on V-wire mode behind L3 office router at now.

But, customer wants to change network like attached file therefore, PA should be changed from Vwire to L3 router mode.

(Refer to attached network diagram.

Ultimately, Router will be changed to PA appliance, if the deal will get win.)

The important problem of new diagram is same networks of two internet lines.

i tried to install like below, but failed. 

1. i tried to deploy L3 for each external line, but failed due to same network.

2. I tried to deploy L2 for each external line and, i was tie to VLAN for both of L2 interface.

VLAN interface has a role of L3 for external connection at this configuration. But it also failed due to network looping.

3. I tried to deploy aggregate for each external line, but failed due to aggregate link was not up.

it should be considered that NAT requirement for L3 deployment.

Regards,

Eugene

3 REPLIES 3

L0 Member

Eugene -

Have you configured the outside addresses for your nat tables yet?

I think you also might have the subnetting or the addresses wrong.  For L3 connections with a /32 this is used for Point-to-point links, if you were to have a single link from the ISP.  If this setup is currently working double check your subnets used.

/32 indicates PA-2020 (100.100.100.197/32) --> ISP (100.100.100.198/32)

We'll work on getting basic connectivity now:

GOTO:  Objects tab and make sure you have the proper outside address in the ADDRESS menu.  Make sure you are using the IP Netmask configuration with just a single IP address per config.

Policies > NAT -- make sure you have a rule saying trust to untrust you are doing source address translation.  You will be doing Port and IP address translation and using the OUTSIDE address you just configured.

Under the Network tab > Interfaces do you have zones set, virtual router (internal and external interfaces need to be on the same router).  Both untagged and both have a L3 interface type.

Under Network > Virtual Routers -- check your vitual router has a default route to the outside world.

Destination 0.0.0.0/0

Net hop type: IP

Next hop value: GATEWAY-PROVIDED BY YOUR ISP (100.100.100.100)

FOR doing the NAT to your web server at 10.1.1.2/32 you will do the following:

Object > ADDRESS - add your external address used for your server (100.100.100.197?)

Policies > NAT -- make a new rule.

Source zone: untrust

Destination zone: trust

Destination Address: choose the new 100.100.100.197? address you just created

service: http/https/whatever service you are using.

destination translation: translation address 10.1.1.2

                                  translated port - can leave blank or use 80/443 if you want.

commit and be awesome.

let us know if any of this was helpful.

L4 Transporter

This is certainly an interesting design! Smiley Happy I don't see two physical interfaces with IPs in the same subnet very often.

If the ISP cannot change your external addressing or you cannot use just a single outside interface, then you might try the following:

  • Create two Virtual Routers (You can have overlapping subnets using multiple Virtual Routers) and put each external interface into its own.  Call them Default and Server.  Both have a 0.0.0.0/0 route next hop of 100.100.100.100.
  • Create three L3 interfaces:
    • Inside interface goes into Default Virtual Router, Inside zone
    • .198 goes into Default Virtual Router, Public zone
    • .197 goes into Server Virtual Router, Public zone
  • Create your NAT rules as you have defined in the diagram
    • Make the Server rule static, Bidirectional
    • Make the Client PC rule dynamic-ip-and-port
  • Create two PBF rules:
    • Inbound PBF rule for the Server:  from .197 interface, then send to Internal interface
    • Outbound PBF rule for the Server: from 10.1.1.2/32 address, then send to .197 interface
  • Create an any any allow Security rule to test

Seems like this should work in theory. You are basically using normal routing for the bulk of the traffic and PBF to force the Server traffic over the other link.

Cheers,

Kelly

Hi Kelly.

thanks for your great advice but, i've been failed with your recommand way.

I will try to discuss to change network configuration with prospective customer.

Thanks again.

Regards,

Eugene.

  • 3067 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!