Internet -> PA-440 -> ASUS RT-AX53U AX1800. Error = Router does not get Internet access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Internet -> PA-440 -> ASUS RT-AX53U AX1800. Error = Router does not get Internet access

L1 Bithead

I have just purchased my first PaloAlto firewall. I am a sysadmin at a small office (about 20 people) and I am in the progress of setting up a new WiFi for my office.

 

This is my equipment:

 

  • Firewall: PA-440
  • Router: Asus RT-AX53U AX1800

This is my current setting:

 

01 PA-440 Drawing.png

 

I have managed to connect to the PA-440 firewall by setting my network cards IP to 192.168.1.2.

 

What should I do in order to make my router get Internet? I have some screenshots of my setup here:

 

PA-440 Dashboard

02 PA-440 Dashboard.png

PA-440 Interfaces
03 PA-440 Interfaces.png

 

Asus RT-AX53U AX1800 dashboard
10 Asus Dashboard.png

 

Asus RT-AX53U AX1800 LAN
11 Asus LAN.png

 

Asus RT-AX53U AX1800 LAN -> DHCP
12 Asus DHCP.png

 

Asus RT-AX53U AX1800 WAN
13 Asus Connection.png

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

there's a good book you can read 😉

 

 

there's a lot of stuff you can do but let's start with the basics

 

create 2 new layer3 zones

 

i'd firstly set the interface 1/1 to layer 3 mode and set it as dhcp client. that should get you a public IP automatically from your ISP

assign it the external zone

reaper_0-1705491902222.png

 

 

next, set the ethernet1/2 as a layer3 interface and assign it an IP address (e.g. 192.168.50.1/24) , and enable a dhcp server on that interface, make sure you set the 192.168.50.1 IP as default route in the dhcp features

 

reaper_1-1705492035273.png

 

now, it would be preferable if you can set your Asus in passthrough mode so it simply acts as an access point and not interfere with routing or additional NAT inside your network

 

don't forget to create a security rule that allows your new internal zone out to your new external zone (delete the rule that was already in place, fresh starts are better)

make sure to add your subscription profiles!

reaper_2-1705492213885.png

and lastly, create a NAT rule for your outbound traffic:

 

reaper_3-1705492271967.png

 

 

to ensure your firewall is able to fetch updates, configure it with a DNS server in the management section, then consider setting up 'service routes'  (Device > setup > service > service routes) attached to your ethernet1/2 (as else the updates will be fetched via your managment interface which is currently not connected to anything)

 

reaper_4-1705492548214.png

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

there's a good book you can read 😉

 

 

there's a lot of stuff you can do but let's start with the basics

 

create 2 new layer3 zones

 

i'd firstly set the interface 1/1 to layer 3 mode and set it as dhcp client. that should get you a public IP automatically from your ISP

assign it the external zone

reaper_0-1705491902222.png

 

 

next, set the ethernet1/2 as a layer3 interface and assign it an IP address (e.g. 192.168.50.1/24) , and enable a dhcp server on that interface, make sure you set the 192.168.50.1 IP as default route in the dhcp features

 

reaper_1-1705492035273.png

 

now, it would be preferable if you can set your Asus in passthrough mode so it simply acts as an access point and not interfere with routing or additional NAT inside your network

 

don't forget to create a security rule that allows your new internal zone out to your new external zone (delete the rule that was already in place, fresh starts are better)

make sure to add your subscription profiles!

reaper_2-1705492213885.png

and lastly, create a NAT rule for your outbound traffic:

 

reaper_3-1705492271967.png

 

 

to ensure your firewall is able to fetch updates, configure it with a DNS server in the management section, then consider setting up 'service routes'  (Device > setup > service > service routes) attached to your ethernet1/2 (as else the updates will be fetched via your managment interface which is currently not connected to anything)

 

reaper_4-1705492548214.png

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for your help Reaper. Now my office have Internet via the PA-440 firewall.

  • 1 accepted solution
  • 1570 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!