Transparent IP Mode Splice L3 Subnet possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Transparent IP Mode Splice L3 Subnet possible?

Not applicable

I have a client that is currently using Sonicwall and wants to migrate to Palo Alto.  

Sonicwall supports Transparent IP Mode (Splice L3 Subnet) that basically can bridge the WAN subnet onto the DMZ interface.

Let say for example,

WAN Interface - 100.100.100.1/24 - L3

DMZ Interface - 100.100.100.1/24 - Transparent

LAN Interface - 10.10.10.1/24 - L3

There are currently servers that sits physically in the DMZ Interface using the public address 100.100.100.X range.

There are also servers that are being static NATted using the DMZ address 100.100.100.X range to actual internal servers in the LAN 10.10.10.X range

Can this be done in Palo Alto? If so, how?

1 accepted solution

Accepted Solutions

L7 Applicator

This could be done by combining a v-wire with a standard Layer 3 deploy but it will require some external switch ports.

Create a v-wire pair of ports with an untrust and DMZ side

Create a Layer 3 deploy with an untrust interface and trust interface

the setup would be:

Internet service router

----Three switch ports----(use a layer 2 vlan on a managed switch or a separate small 5 port switch to isolate this segment)

1-Internet service inbound

2-Untrust interface on layer 3 Palo Alto

3-Untrust side of v-wire on Palo Alto

-----DMZ V-wire---These will also need to be an isolated layer 2 vlan separated from the internal and external network

Connect port to the DMZ vlan and these servers in this vlan are the same subnet as the external interface

---Trust internal network---Also an isolated vlan separated from the dmz and external network

Connect the layer 3 trust to this vlan and setup devices normally

For devices that require destination nat create those rules to these trust addresses

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

7 REPLIES 7

L7 Applicator

This could be done by combining a v-wire with a standard Layer 3 deploy but it will require some external switch ports.

Create a v-wire pair of ports with an untrust and DMZ side

Create a Layer 3 deploy with an untrust interface and trust interface

the setup would be:

Internet service router

----Three switch ports----(use a layer 2 vlan on a managed switch or a separate small 5 port switch to isolate this segment)

1-Internet service inbound

2-Untrust interface on layer 3 Palo Alto

3-Untrust side of v-wire on Palo Alto

-----DMZ V-wire---These will also need to be an isolated layer 2 vlan separated from the internal and external network

Connect port to the DMZ vlan and these servers in this vlan are the same subnet as the external interface

---Trust internal network---Also an isolated vlan separated from the dmz and external network

Connect the layer 3 trust to this vlan and setup devices normally

For devices that require destination nat create those rules to these trust addresses

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you for the question answer.

This was suggested by me and Palo Tech tech support to the client too using an external switch.  The client had question whether the NAT translation will still work correctly in this case for NATting internal servers.  There are conflict information whether virtual wire will support NAT and routing.  Later OS seems to supports it.  I am currently testing this scenario in the lab.

Also, in case this does not work and we decide to VLSM the subnet without bridging, does Palo Alto firewall supports Proxy ARP or NATting the same IP address from WAN to DMZ without notifying the upstream router the changed subnet?

V-wire does support nat, but in your scenario the nat will occur over the Layer 3 side, if I understand your setup correctly.

V-wire devices have the same ip address as the external WAN 100.100.100.1/24.  So these will be on the external LAN and no nat is required.

NAT devices are on the 10.10.10.0/24 network.  So when the 100.100.100.X is requested the Layer 3 side will have  destination nat rule to the 10.10.10.X address with the matching security policies as needed for the traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

That is great. Thank you!

I tested this in lab using minimum config and it seems to work.  I am going to add the rest of the configs to see if it works.

Now, suppose that using an adding an external switch was not an option.  Is there another way to solve this issue?  Below are some of the things we came up with.

1. Palo Alto tech support suggested an article that configures a layer 2 to layer 3 connection utilizing a combinations of L2 interface and Virtual router and VLAN.   It was complicated and when I tested it, it did not work.  Either I didn't choose the right options or it just doesn't work.

How to Configure a Layer 2 to Layer 3 Connection on the Palo Alto Networks Device

2. If we further divide the WAN subnet so that WAN has 100.100.100.0/25 and DMZ has 100.100.100.128/25, and changing the upstream router route is not an option, does Palo Alto firewall supports Proxy ARP for the new DMZ subnet? or will it only do proxy arp for NAT devices it is responsible for?

4. If we do NAT translation from WAN to DMZ using the same IP, meaning 100.100.100.100 translates to 100.100.100.100 in DMZ.  Would this have worked?

The reason I am asking these questions is in case I ran into these issues again, I will have other ways to solve it.  Really appreciate your feedback.  Thank you!

1. Palo Alto tech support suggested an article that configures a layer 2 to layer 3 connection utilizing a combinations of L2 interface and Virtual router and VLAN.   It was complicated and when I tested it, it did not work.  Either I didn't choose the right options or it just doesn't work.

I don't think this will work for your configuration.  The critical difference is that this setup depends on the layer 3 interface facing the upstream router with the default route.  In your scenario the default route needs to face the layer 2 side network.  This scenario they are adding the layer 2 to the inside schema, yours is on the outside.

2. If we further divide the WAN subnet so that WAN has 100.100.100.0/25 and DMZ has 100.100.100.128/25, and changing the upstream router route is not an option, does Palo Alto firewall supports Proxy ARP for the new DMZ subnet? or will it only do proxy arp for NAT devices it is responsible for?

This would still require changes on the upstream router to change the size of the netmask and convert the second half /25 to a routed subnet instead of a connected one.  By definition proxy-arp can only occur within the same subnet of a configured interface.  You cannot arp layer 2 for an address that is not on your layer 2 subnet.  So there is no way for the PA interface that has been changed to a lower /25 to arp for the upper /25 addresses.  This violates basic subnet  rules, nothing to do with PA features.

4. If we do NAT translation from WAN to DMZ using the same IP, meaning 100.100.100.100 translates to 100.100.100.100 in DMZ.  Would this have worked?

This would not be NAT as nothing is being translated.  And you cannot have two devices in the same subnet that have the same ip address.  This would be a basic ip conflict that would cause traffic issues when both attempt to respond to requests for the address in the subnet.

You can do port forwarding where the PA interface address is used to forward certain ports to another address.  But this involves then using NAT to change that interface address to the actual address used by the server we are forwarding the traffic to.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you. This is very helpful!

I have a customer with this same scenario but is running two ISP but the primary is for Internet only. Would the internal hosts access the DMS via the vwire or the layer 3? I implemented the vwire and can see traffic hitting my vwire and layer 3 rules. Currently devices internally canno reach the DMZ.

 

Thanks!

PCNSC, PCNSE
  • 1 accepted solution
  • 9784 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!