I'll do my best to put this question into words.
My company owns a /24 Public IP range. I have an engineering department that needs a /29 IP space off of that block for their Lab Environment.
I have a Juniper MX104 Router and a Palo 5220 Firewall.
I'm not sure what my best steps are to get this circuit passed through the Firewall straight to the Lab environment (and Palo support is extremely slow at the moment).
1. On the Juniper Router I have a Logical Interface created irb.312 which is using the first available IP in the /29 range.
2. On the Juniper Router I have a Physical interface created to be a bridge interface using vlan-id 312
3. The Lab has an SRX that is setup to use the second available IP in the /29 range.
What are my best steps on the Palo? I was hoping a Virtual Wire would work, but the interface goes straight to down when I configure it as a Virtual Wire interface. I am hoping I don't need to create a Layer 3 interface on the Palo as I don't want to use anymore of the IPs available in the /29 (since the Edge Router and the Lab SRX are both using an IP in that /29 range already).
In terms of "topology", we do want the traffic to pass through our Palo since that is what our Network Team manages. The Lab Firewall is not managed by us, so we don't want to bypass our own Firewall. If that makes sense?
Any input would be appreciated!
Instead of assigning IPs on the MX and PA within the /29 block that you want to use behind the firewall, could you just route the entire /24 to the PA, and then route the /29 to the SRX? From your description I am assuming you are BGP announcing the /24 from the MX104?
Setup a private inter-network range between the MX104 and the PA (say, 198.18.x.x/30) and route the /24 to the PA. On the PA assign the public IPs you want to use locally to a loopback interface as /32s. Then use another 198.18.x.x/30 to route the /29 to the LAB SRX behind the PA. Advantages: you don't have use the publics for routing, can put a suballocation for third party devices on a DMZ interface, can send suballocations to different routers behind the PA, and can pick off individual IPs to use on the PA. Disadvantages: if your DMZ is already using IPs scattered across a fixed /24 subnet, subdividing gets messy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!