Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-24-2020 01:02 AM
The network I inherited has a Cisco ASA and a PAN 3220 operating as
a virtual wire in serial. The NATs and most of the ACLs are at the ASA
while the PAN takes care of other protections such as geo blocking,
correlation alerting and so on.
{Internet}--[Edge RTR]--[ASA]--[PAN]--[L3 Switch]
I was hoping to put in another pair of PANs into our cage. But
unfortunately the racks are literally full so I can't use them.
I have lots of unused Ethernet ports on the PAN 3220.
Would it be possible to run the PAN as both its L2 vWire
and present an L3 interace to the edge and internally?
The thought would be to put rules for the L3 at the
bottom of the rule set just before the deny any.
And these would have zones L3-Outside, L3-Inside
to disambiguate. If I could even just use Global
Protect that would be a good step forward. But
the idea would be to gradually try to setup a
web server at the L3 interface.
Is this foolhardy? Any guide exist to do something
like this? Thanks for your thoughts on how to approach
it would be appreciated.
10-24-2020 09:39 AM
There's no reason why this wouldn't work; you can absolutely have Layer3 interfaces running alongside your Virtual Wire without any issues. The nice part of this is you actually don't even have to worry about routing changes or anything bringing down the virtual wire when you're working to bring in the Layer3 interfaces, because it's just a simple virtual wire configuration. You could then also configure a GlobalProtect Portal and Gateway without issue through the Layer3 interface.
I'd follow your current plan and just get everything working to start off with, and move to slowly just get rid of the ASA and dropping the virtual wire configuration all together. The ASA isn't doing anything the PA-3220 isn't capable of doing, so unless something is broken off at the ASA level I don't see any reason to keep it or add an additional pair of PANs. Just use the PA-3220s that you already have to their full potential and you could drop the ASA all-together without having to add any additional hardware.
10-24-2020 09:39 AM
There's no reason why this wouldn't work; you can absolutely have Layer3 interfaces running alongside your Virtual Wire without any issues. The nice part of this is you actually don't even have to worry about routing changes or anything bringing down the virtual wire when you're working to bring in the Layer3 interfaces, because it's just a simple virtual wire configuration. You could then also configure a GlobalProtect Portal and Gateway without issue through the Layer3 interface.
I'd follow your current plan and just get everything working to start off with, and move to slowly just get rid of the ASA and dropping the virtual wire configuration all together. The ASA isn't doing anything the PA-3220 isn't capable of doing, so unless something is broken off at the ASA level I don't see any reason to keep it or add an additional pair of PANs. Just use the PA-3220s that you already have to their full potential and you could drop the ASA all-together without having to add any additional hardware.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
