Palo Alto (Layer3 || Layer 3 Sub-interfaces || L3 VLAN Interface || Destination NAT)

Topology

Interface Interface Type IP-Address Zone

mgmt 10.1.1.100/24
Eth1/1 Layer 3 10.2.1.100/24 INTERNAL
Eth1/2 LAYER 2
Eth1/2.300 Layer 2 sub-
interface
Vlan.300 10.5.1.100/24 EXTERNAL
Eth1/3 Layer 3
Eth1/3.100 Layer 3 sub- 10.3.1.100/24 DMZ_1
interface
Eth1/3.200 Layer 3 sub- 10.4.1.100/24 DMZ_2
interface

Requirement from this Topology

1. ROUTER_2(10.3.1.10) SHOULD PING ROUTER_1(10.2.1.10)
2. ROUTER_2(10.3.1.10 SHOULD PING ROUTER_3(10.4.1.10)
3. ROUTER_2(10.3.1.10) SHOULD PING ROUTER_4 (10.5.1.10)
4. ROUTER_4 (10.5.1.10) SHOULD PING ROUTER_3(10.3.1.10)

Workflow
1. Create Eth1/1 as Layer 3 interface & assign the IP -Address 10.2.1.100/24
2. Create eth1/2 as Layer 2 interface & create layer 2 sub-interface (eth1/2.300)
3. Create vlan interface (vlan.300) and assigned Ip -address (10.5.1.100/24)
4. Create eth1/3 as layer 3 interface & create Layer 3 Sub-interface
Eth1/3.100 & eth1/3.200 and assigned them the IP-Address
ROUTER_1 Configuration
ROUTER_1#sh running-config interface gi0/0
interface GigabitEthernet0/0
ip address 10.2.1.10 255.255.255.0
duplex auto
speed auto
media-type rj45
end

ROUTER_1#sh ip route
Gateway of last resort is 10.2.1.100 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.2.1.100
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.2.1.0/24 is directly connected, GigabitEthernet0/0
L 10.2.1.10/32 is directly connected, GigabitEthernet0/0

ROUTER_2 Configuration
ROUTER_2#sh running-config interface gi0/0
interface GigabitEthernet0/0
ip address 10.3.1.10 255.255.255.0
duplex auto
speed auto
media-type rj45
end

ROUTER_2#sh ip route
Gateway of last resort is 10.3.1.100 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.1.100

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.3.1.0/24 is directly connected, GigabitEthernet0/0
L 10.3.1.10/32 is directly connected, GigabitEthernet0/0

ROUTER_3 Configuration
ROUTER_3#sh running-config interface gi0/0
interface GigabitEthernet0/0
ip address 10.4.1.10 255.255.255.0
duplex auto
speed auto
media-type rj45
end

ROUTER_3#sh ip route
Gateway of last resort is 10.4.1.100 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.4.1.100
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.4.1.0/24 is directly connected, GigabitEthernet0/0
L 10.4.1.10/32 is directly connected, GigabitEthernet0/0

ROUTER_4 Configuration
ROUTER_4#sh running-config interface gi0/0
interface GigabitEthernet0/0
ip address 10.5.1.10 255.255.255.0
duplex auto
speed auto
media-type rj45
end

ROUTER_4#sh ip route
Gateway of last resort is 10.5.1.100 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.5.1.100

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.5.1.0/24 is directly connected, GigabitEthernet0/0
L 10.5.1.10/32 is directly connected, GigabitEthernet0/0

L2_SWITCH_1 Configuration
L2_SWITCH_1#SH RUNning-config INterface GI0/0
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
end

L2_SWITCH_1#SH RUNning-config INterface GI0/1

interface GigabitEthernet0/1
switchport access vlan 200
media-type rj45
negotiation auto
end

L2_SWITCH_1#SH RUNning-config INterface GI0/2

interface GigabitEthernet0/2
switchport access vlan 100
media-type rj45
negotiation auto
end
L2_SWITCH_2 Configuration
L2_SWITCH_2#sh running-config interface gi0/0
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
end

L2_SWITCH_2#sh running-config interface gi0/1

interface GigabitEthernet0/1
switchport access vlan 300
switchport mode access
media-type rj45
negotiation auto
end

PALO ALTO FIREWALL CONFIGURATION

L3 TYPE ZONE CREATION

VIRTUAL ROUTER

ETH1/1 INTERFACE CONFIGURATION

Eth1/1 will be Layer 3 interface and be a part of Security Zone “INTERNAL”.

IP-Address assigned to interface eth1/1 is 10.2.1.100/24

ETH1/3 CONFIGURATION (Layer 3 Sub-interfaces)
We will configure eth1/3 as layer 3 type with no Ip-address and create 2 sub-interfaces (eth1/3.100
& eth1/3.200)

Assigned eth1/3.100 as 10.3.1.100/24 & part of zone “DMZ_1”

eth1/3.200 as 10.4.1.100/24 & part of zone “DMZ_2”

ETH1/3.100 Configuration (Tag 100 determine the VLAN ID)
Eth1/3.200 Configuration (Tag 200 determine the VLAN ID)
ETH1/2 CONFIGURATION (VLAN INTERFACE)
Configure Eth1/2 as layer 2 type & create one Layer 2 sub-interface (eth1/2.300)
ETH1/2.300 (TAG 300 Determine the VLAN ID)

CREATE VLAN

VLAN are logical entity as it binds interface eth1/2.300 to a VLAN Interface

VLAN INTERFACE Configuration (vlan.300)

Create vlan.300 and it will be part of zone “EXTERNAL” with Ip-address 10.5.1.100/24
INTERFACE SUMMARY
OBJECT ADDRESS

Security policy & Traffic Verification

1. ROUTER_2(10.3.1.10) SHOULD PING/TELNETROUTER_1(10.2.1.10)
2.ROUTER_2(10.3.1.10) SHOULD PING/Telnet ROUTER_3(10.4.1.10)
3. ROUTER_2(10.3.1.10) SHOULD PING ROUTER_4 (10.5.1.10)
4. ROUTER_4 (10.5.1.10) SHOULD PING ROUTER_3(10.4.1.10)
5. Destination NAT From ROUTER_4 (10.5.1.10) to ROUTER_3(10.4.1.10)
ROUTER_3 Address exposed to ROUTER_4 is 10.5.1.50
So, when ROUTER_4 connect on 10.5.1.50 it should be translated to 10.4.1.10

Create ROUTER_3_NAT_ADDRESS OBJECT

NAT POLICY
SECURITY POLICY

VERIFICATION

• First Verify are we getting arp for address 10.5.1.50 on ROUTER_4 Without ARP ROUTER_4
can’t connect to Router_3

ROUTER_4#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.5.1.10 - 5000.0007.0000 ARPA GigabitEthernet0/0
Internet 10.5.1.50 0 badb.eefb.ad01 ARPA GigabitEthernet0/0
Internet 10.5.1.100 27 badb.eefb.ad01 ARPA GigabitEthernet0/0
• Ping
ROUTER_4#ping 10.5.1.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/15/19 ms
• Telnet