Public IP's and DMZ

Showing results for 
Search instead for 
Did you mean: 

Public IP's and DMZ

Not applicable

I am currently setting up a DMZ using a class C address range provided by my ISP. So far I have an untagged interface built connected to a switch and a VR built.


I have the subnet

I set interface G1/2 with address

I have a VR with a route destination int G1/2 next hop address

I have a laptop with an address I do not want this to NAT but use the address I assigned to it out of the class C range provided by my ISP.

So far I can ping my .1 gateway but haven't been able to get any farther.


Not applicable

After further research I have yet to resolve the issue but was wondering if I would have to build any NAT policy to accommodate this.

Since interface ethernet1/2 is directly connected to the subnet with an address of specifying a static route for this network in your virtual router is superfluous and therefore should not be necessary.

You will need to configure NAT to allow the host outbound access to public IP space.  The following tech note covers PAN-OS NAT examples in detail.

L6 Presenter

What you normally do (at least by my experience) is that you setup whats called a linknet between you and your ISP.

This linknet is normally a /30 network such as is ISP and you are

The ISP will then route with nexthop (your equipment).

While you have a default route ( pointing towards ISP at

This gives that your WAN interface will have as ip adress, your (public) DMZ interface will have (this will be the defgw for the DMZ-servers) and your (private) LAN interface will have (or whatever floats your boat 😉 )

If this is actually a public ip range then you wont need any nating in your PA for traffic going WAN <-> DMZ.

But you will need SNAT (Source NAT) for traffic going LAN -> WAN (mot not necessary for LAN <-> DMZ).

If you for some reason needs to allow WAN -> LAN you do this with preferly portforwarding using DNAT (Destination NAT) - depending on if its a single port you need to allow or a full ip address.

A workaround for above in case your ISP refuse to setup a linknet is to use the PA in VWIRE mode.

Setup eth1 as VWIRE towards ISP and eth2 VWIRE towards DMZ.

Then setup eth3 as regular L3 interface towards ISP and eth4 as L3 towards LAN.

This way the PA will "switch" traffic between ISP and DMZ while on eth3 it will be a single host on the same network (to SNAT the LAN-clients).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!