One Internet line Multiple intefaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

One Internet line Multiple intefaces

L2 Linker

Hi Everyone
In my sinaro i have one internet line 10 MB and i have 5 zones configured in PA my question . and each zone for different purpose for example (IP SEC - Intenet -Email)

 

 

 

1-  how i can provide the internet to multiple zones with a multiple services

 

2- How many Public ip address reqiued for this sinaro 

 

14 REPLIES 14

L7 Applicator

@MFayez wrote:
1-  how i can provide the internet to multiple zones with a multiple services

With a NAT rule where you configure your internet facing interface as translated source address


@MFayez wrote:

2- How many Public ip address reqiued for this sinaro 


It depends how many servers you need to make available and even more important what services do the offer. For example if you have the PA as VPN gateway, one emailserver and one webserver then you only need one public IP. In case you have multiple webservers and all expose their websites on port 80 and 443, then you either need one address for each of them or you place a reverse proxy in front of them and then you still only need one IP as the reverse proxy forwards the requests to the apropriate server based on the URL.

 

 

 

 

Hi 

 

Thanks for the answer 

 

If I have one PA device for this example this work ....

Why do you need a zone for each service?

 

Rob

 

 

L7 Applicator

I think you have the wrong idea of zones.  Zones are collection of interfaces/subnets that we write policies against.

 

In the policy we specify the specific services and ports not in the zones.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

@pulukas

What is wrong when @MFayez wants to separate the servers from each other with zones? Doed not necessary mean that he understood something wrong with the concept if zones. (Specially if you may be don't have a lot of servers but a firewall with enough capacity of zones)

Current SetupCurrent SetupNew SetupNew Setup

For the new setup 

 

how many public IP's do we need?

 

how will natting work for the interfaces?

What "IP" service ports are being connected to by each application? if none of them overlap then 1 public IP will do.

 

You also don't need to use 4 physical connections to the router  ( you could tag VLANS into one single port )

 

Rob 

 

 

Typically this is how you would be looking at your public facing services.

 

How many different public ip addresses do you need and for what services then add one for the PAN.  You request then from your ISP the appropriate subnet sized for that need, in your case looks like you will need either a /29 or /28.

 

This gets delivered on the ISP device facing your PAN.  You use one of these addresses on the PAN.

This is now your untrust zone.

 

You now organize your publicly facing resources into risk groups and create the muliple zones and private networks to support them or if the risk is similar they can all go into one DMZ zone.  These are the inside interface(s) of your PAN with zone assignments.

 

Now you create your nat rules pointing each ip address from the ISP scope at the matching internal address of the server providing the public service.  And write the security policies needed for the inbound and outbound communications for each server.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

this case still is not clear for me i will explain current setup

 

1- 4 router is connected phiscaly to PA and each router provide defrent services (Email , Internet , VPN)

2- PBF are configer for pass the traffice and NAT

3-One defult routur are configer for untrust zone for all services 

 

Our reqiuerment :

1- Shift to 4 router to 1 Fiber line

 

@pulukas @RobinClayton @Remo 

 

 

 

L4 Transporter

So -One router.

 

You no longer need PBF as you only have one route out.

 

 

You have 2x incomming SMTP so you need an IP for each on service port [25 & 587]

 

Everything else does not overlap in terms of service port so can use either of the IP's.

 

 

 

 

 

 

Okay ...

 

What about interface is required to create subinterface because i will user on physical line

No sub interface is necessary.

 

Have one interface external with the IP you want to be the primary and nat rules..

 

Then just have an inbound NAT for the second IP. (Untrust->Untrust)

 

Rob

 

Thanks @RobinClayton  for your advise

 

I will got from ISP 6 public ip address
Should added the IP to interface !!

 

and it can be assigned to Zones

  • 6772 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!