I know have a VM300 NGFW installed and registered in my private vCenter environment. The reason for the VM300 is to provide more Global Protect users a means to connect to the network than the 1024 connections afforded by the 3220 PAN at the edge. My question has to do with addressing and zoning of the interfaces on the VM300 and NATting to the Internet.
1) Can I add a 1:1 NAT on the 3220 that would map to the "OUTSIDE" of the VM300 (which is inside the PAN 3220)? So say currently the outside address of the 3220 is 18.104.22.168 and that serves as the address for the existing portal and gateway too. We'll say the inside of the PAN 3220 is at 10.10.10.100. If we made the "Outside" of the of the VM300 to be at say 10.10.10.200, could we create a NAT on the 3220 such that 22.214.171.124 NATted to 10.10.10.200 and have this work for the purposes of a GP gateway?
2) Would it be preferable for the VM300 to have it's OUTSIDE interface on a DMZ VLAN off of the 3220 and then have its inside interface be placed on the internal network? So in this scenario the VM300 OUTSIDE interface has IP 10.10.20.200 and that NATs to 126.96.36.199 on the 3220 OUTSIDE.
To summarize: Can one hardware PAN serve as the NAT and routing conduit to and internal VM PAN that will act as a secondary GP gateway to the former? And what would be the preferred layout of the interfaces of the VM PAN in such a scenario?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!