Multiple External Interfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple External Interfaces

Not applicable

Hello,

I have a pan 4020 that will be replacing multiple firewalls.  The internet side of the firewall has a /25 network.  I have a corporate network that has an external interface of x.x.x.2/25 in the Internet zone and a guest wireless network that has an external address of x.x.x.3/25 in the Internet zone. The corporate network has an internal interface on the LAN zone. The guest wireless network has a internal interface in the guestwireless zone.  The firewall will act as the default router for hosts on the guest wireless network. My question is should I configure two virtual routers? By having two external interfaces on the same network with separate virtual routers cause overlap issues? I don't want the guest wireless network to have the ability to route other networks like the my DMZ.

Thanks

Bane

3 REPLIES 3

L5 Sessionator

Hello,

You could create two virtual routers, as you indicated. They would not communicate with each other and they could be in the same subnet if necessary- as long as you do not configure the same IP address on each router.  Another option would be to point both the corporate and wireless users to the same gateway and use your security policies to control the traffic between zones.   You may want to open a case with Support and send a diagram of your network so that they can help with your configuration.

So the configuration that works best for me was to have both networks egress the same interface and use security zones and policy to control the traffic. One thing I did learn is that if you have a Cisco router on the same external segment then turn off proxy arp if you want to have two external interfaces.  This prevents the router from putting incorrect arp entries in the arp table.

Bane

Not applicable

I think the simplest way and what we did was created a seperate network on another interface and used the same internet gateway for guest access. And only allowed the guest network to have controlled internet access and no access to anything else through Security Policies etc.

  • 2935 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!