This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

what NAT and Network config

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

what NAT and Network config

clonesheep
L3 Networker

‎02-19-2018 04:21 AM

Hi,

I have a router from my carrier. This gives me an internal IP 10.0.9.3 /16 from my internal Network 10.0.0.0/16 network and the GW IP he gave me is 10.0.30.99.

Now he makes natting so i could get internet access and there i have a static official ip adress. for example 123.456.789

 

My test pc give it the ip 10.0.9.3 subnet 255.255.0.0 and gw 10.0.30.99 dns 8.8.8.8 

Then my test pc have direct internet access. this settings i will configure now on my PA device.

Have configured a network interface and an trust and untrust zone. But how must i configure now NAT?

And what static routing? 0.0.0.0/0 to next hop ip 10.0.30.99 ?

0 Likes Likes
4 REPLIES 4

RobinClayton
L4 Transporter

‎02-19-2018 06:25 AM

You need different subnets for your Trust and Untrust, your going to have to sort that first.

 

You really need the REAL external IP to be on the firewall.

 

Rob

0 Likes Likes

clonesheep
L3 Networker
In response to RobinClayton

‎02-19-2018 06:54 AM

Can i not make the untrust subnet as 10.0.9.3 /32 ? 

 

I can not take the real external IP. There is no way because the carrier has a firewall there and they only can give me the real ip by NAT.

 

I know how @RobinClayton this means. But my carrier restrict me in this point.

 

Is there no other way?

0 Likes Likes

RobinClayton
L4 Transporter
In response to clonesheep

‎02-19-2018 07:33 AM

 

Get the carrier to change their internal subnet to something like

 

192.168.1.0/30

 

192.168.1.1 would be their router (and your default gateway out of the firewall)

192.168.1.2 would be your untrust interface.

 

10.0.9.0/16 would then by your trusted interface.

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to clonesheep

‎02-19-2018 07:45 AM

@clonesheep,

The firewall really isn't meant for a setup like this, and you may have to re-IP your internal network away from 10.0.0.0/16 to get things to work appropriately. I would recommend changing your internal network away from 10.0.0.0/16 just so that you don't have the 'internal' and 'external' networks in the same subnet; configure your 'internal' network as really anything else, for example 10.191.0.0/16 or 10.16.0.0/16 or whatever, and you won't run into any issues. 

0 Likes Likes
  • 2017 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks