01-13-2024 01:24 PM
Good afternoon all,
I am very new to this field and I wanted to acquire some knowledge or perhaps a better explaination. Looking at all of these videos online I think some basic fundamentals are missing in terms of real world scenarios; and not so much made up topologies.
SO, I am looking at my home network as a real world example.
The PA-440 was gifted to me and I want to see if the following is possible:
1. MGT Interface > If I choose to have this interface on its own subnet (/27) 192.168.90.1/27 in my switch (layer 3) i would imagine I would need to have a ip route to know this interface is alive and i'm able to manage my firewall.
2. Gig ports 1/1 and 1/2 on the PA440
Gig 1/1 >> this will be my internet port as in directly from my router which has been placed in bridge mode and I have set the G 1/1 Interface to DHCP (under IPv4)
Gig 1/2 >> this will have a little more work; as I have been reading I can create sub interface such as
Gig 1/2.1 >> I'm assigning 192.168.50.1/27 - >tagged 50
Gig 1/2.2 >> I'm assigning 192.168.60.1/27 - tagged 60
Gig 1/2.3 >> I'm assigning 192.168.70.1/27 - tagged 70
DHCP is configured to distrubute each /27 and the subinterfaces are selected.
Keep in mind 1/2 will be terminated to a trunk on my switch with 3 VLANS, 50,60,70
I'm having a hard time understanding how the Management interface will operate from my switch
I'm having a hard configuring the Virtual Router
I''m having a hard time understanding how the security / NAT will work.
Any insight would be great; I know its a lot to ask.
01-13-2024 03:13 PM
Hi there,
Your management interface would typically be connected via an edge (access) port on your switch. Assuming your switch is Layer3 capable then you would assign an SVI to this management VLAN. I will assume on your VLAN one must be an 'inside/ trust' type. So on your switch you would configure another SVI, this would allow traffic in the trusted zone to be routed towards your management interface.
The other VLAN, lets guess are something like DMZ and wireless. Both of these will be switched on your switch but not routed. The firewall will be configured with routed sub-interfaces, this way the firewall will be the gateway for those subnets and will be able to control all inter-vlan flows.
I would not worry about additional Virtual Routers at this early stage.
Your security zones will probably have a 1:1 mapping to your VLANs: inside, DMZ, wifi and WAN. The Security policy which you define will secure inter-zone flows, ie traffic moving from one VLAN (zone) to another. Lets say for example wifi can initiate communication with WAN and DMZ but not trust. DMZ can only initiate communication with WAN, but all the other zones can talk to it...etc,
Regarding NAT, I would imagine you would only need to configure translation on your WAN interface with source NAT for all outbound flows. You would also configure static NAT for selected ports towards your DMZ hosts.
Hope that helps.
cheers,
Seb.
01-17-2024 10:07 PM
Thank you very much for the response. I did get this working however made some such as non static routing vs dynamic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
