Public IP's and DMZ

cancel
Showing results for 
Search instead for 
Did you mean: 

Public IP's and DMZ

Not applicable

I am currently setting up a DMZ using a class C address range provided by my ISP. So far I have an untagged interface built connected to a switch and a VR built.

Example:

I have the subnet 10.10.10.0/24

I set interface G1/2 with address 10.10.10.1/24

I have a VR with a route 10.10.10.0/24 destination int G1/2 next hop address 10.10.10.1

I have a laptop with an address 10.10.10.10 I do not want this to NAT but use the address I assigned to it out of the class C range provided by my ISP.

So far I can ping my .1 gateway but haven't been able to get any farther.

3 REPLIES 3

Not applicable

After further research I have yet to resolve the issue but was wondering if I would have to build any NAT policy to accommodate this.

Since interface ethernet1/2 is directly connected to the 10.10.10.0/24 subnet with an address of 10.10.10.1 specifying a static route for this network in your virtual router is superfluous and therefore should not be necessary.

You will need to configure NAT to allow the 10.10.10.10 host outbound access to public IP space.  The following tech note covers PAN-OS NAT examples in detail.

https://live.paloaltonetworks.com/docs/DOC-1517

L6 Presenter

What you normally do (at least by my experience) is that you setup whats called a linknet between you and your ISP.

This linknet is normally a /30 network such as 10.0.0.1 is ISP and you are 10.0.0.2.

The ISP will then route 10.10.10.0/24 with nexthop 10.0.0.2 (your equipment).

While you have a default route (0.0.0.0/0) pointing towards ISP at 10.0.0.1.

This gives that your WAN interface will have 10.0.0.2/30 as ip adress, your (public) DMZ interface will have 10.10.10.1/24 (this will be the defgw for the DMZ-servers) and your (private) LAN interface will have 192.168.0.1/24 (or whatever floats your boat 😉 )

If this 10.10.10.0/24 is actually a public ip range then you wont need any nating in your PA for traffic going WAN <-> DMZ.

But you will need SNAT (Source NAT) for traffic going LAN -> WAN (mot not necessary for LAN <-> DMZ).

If you for some reason needs to allow WAN -> LAN you do this with preferly portforwarding using DNAT (Destination NAT) - depending on if its a single port you need to allow or a full ip address.

A workaround for above in case your ISP refuse to setup a linknet is to use the PA in VWIRE mode.

Setup eth1 as VWIRE towards ISP and eth2 VWIRE towards DMZ.

Then setup eth3 as regular L3 interface towards ISP and eth4 as L3 towards LAN.

This way the PA will "switch" traffic between ISP and DMZ while on eth3 it will be a single host on the same network (to SNAT the LAN-clients).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!