02-27-2011 08:09 PM
Hi.
I have my PA's running fine and dandy with my normal internet link(s) and DMZ farmed out to my edge routers without issue.
Now I have coming a requirement for a dedicated, seperate Internet link and DMZ for a special purpose with the traffic being completely isolated from my "main' links.
I want to assign two new interfaces - one for the extra DMZ required, and one for the additional Internet link - and use a different VR to link these two interfaces, with the default route for this pair or ports point to the 'new" internet link rather than my normal "default" route - however, I also want machines from my normal "inside" interface to be able to access devices in this DMZ.
Can I put the "normal" inside interface into the new VR and allow communciation between the inside and the new DMZ/Link without affecting the standard default route out my 'main" links?
Configuration something like this
VR Name : Router 1
Interfaces : Ethernet1/1 (inside)
Ethernet1/2 (outside - default route)
Ethernet1/3 (Main DMZ)
VR Name : Router-2
Interfaces : Ethernet1/1 (inside)
Ethernet1/4 (New-Internet, special-purpose route)
Ethernet1/5 (Special DMZ)
I don't want traffic from E1/2 mixing with E1/4 9I.E. all "Internet" bound traffic from E1/1 and E1/3 should default out this route), but I do to be able to get to nodes in both both E1/3 & E1/5 from the inside (E1/1) inetrface, and I want ALL internet traffic froM E1/5 to go out E1/4 instead of E1/2.
Hope this is clear enough explaination - I think I just confused myself!
02-28-2011 09:11 AM
Hi There,
This is possible:
An interface cannot be in two virtual routers - however, you can have sub-interfaces in different virtual routers.
So you can put a physical/logical interface from the new virtual router into the LAN and have routes to that IP for the new DMZ. This interface would be on the same subnet, but different IP, to the other interface already in this LAN.
Alternatively, you can move to PAN-OS 4.0.x and make use of one of two features:
Thanks
James
02-28-2011 01:04 PM
jsherlow wrote:
Hi There,
This is possible:
An interface cannot be in two virtual routers - however, you can have sub-interfaces in different virtual routers.
So you can put a physical/logical interface from the new virtual router into the LAN and have routes to that IP for the new DMZ. This interface would be on the same subnet, but different IP, to the other interface already in this LAN.
Alternatively, you can move to PAN-OS 4.0.x and make use of one of two features:
- virtual router to virtual router routing
- PBF to virtual system and have the "New Network" in a new virtual system.
Thanks
James
James.
Thanks for that - I can manage to put another IP on the "inside" interface without too much hassle - since I don't think I'm quite ready to upgrade to PanOS 4 yet, I'll most likely run with that.
Cheers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
