Escolar Documentos
Profissional Documentos
Cultura Documentos
Page 1 of 13
(/)
Register (https://live.paloaltonetworks.com/t5/custom/page/page-id/Register?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FFeatured-Articles%2FGettingStarted-Layer-3-NAT-and-DHCP%2Fta-p%2F66999)
Sign In (https://live.paloaltonetworks.com/twzvq79624/plugins/common/feature/saml/doauth/post?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%
2FFeatured-Articles%2FGetting-Started-Layer-3-NAT-and-DHCP%2Fta-p%2F66999)
FAQs (/t5/help/faqpage)
Features
(https://live.paloaltonetworks.com/t5/Features/ct-p/Features)
Discussions
Knowledge Base
(https://live.paloaltonetworks.com/t5/Knowledge-Base/ct-p/Topics)
Tools
(https://live.paloaltonetworks.com/t5/Tools/ct-p/Tools)
Live (/) > Features (/t5/Features/ct-p/Features) > Welcome to Live (/t5/Welcome-to-Live/ct-p/Community_Features) >
Community
Search
I've unpacked my firewall and did what you told me, now what?
In the previous installment, Getting StartedPreparing the Firewall, I've unpacked my firewall, now what?, (/t5/Featured-
Articles/Getting-Started-Preparing-the-Firewall/ta-p/66582) we described the first steps after unpacking your firewall and getting it
up and running. This week, we'll take a look at where to go from here and configure Layer 3 interfaces, set up proper routing, and
enableNAT so the firewall can function as an internet gateway.
Before we get started, I'll outline a few things that may be different in your network that you'll want to note:
In the examples below, my ISP has assigned me the internet IP subnet of 198.51.100.0/28 which I want to start using on the untrust
interface of the firewall instead of the router. To achieve this, NAT will need to be disabled and maybe some other things need to be
changed to accomplish this. As the steps to accomplish this will vary, depending on several factors, you may need some assitance from
your ISP to reconfigure your router. As it is not absolutely necessary to use a public IP range, you can simply keep using the IP range
your ISP provided.
(/t5/custom/page/page-id/Register)
Labels
ACC (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
API (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
App-ID (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
Authentication (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
AutoFocus (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
BrightCloud (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
Cloud (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
Configuration (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
counters (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
dos_protection (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
dotw (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
Endpoint (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
esm (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
Next
(https://live.paloaltonetworks.com/t5/FeaturedArticles/Getting-Started-Layer-3-NAT-andDHCP/ta-p/66999/page/2/showcomments/true)
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 2 of 13
Contributors
(/t5/user/viewprofilepage/userid/7608)
reaper
(/t5/user/viewprofilepage/userid/7608)
(/t5/user/viewprofilepage/userid/27630)
editeur
(/t5/user/viewprofilepage/userid/27630)
Recommendations
Getting Started Layer 3, NAT,
and DHCP (/t5/FeaturedArticles/Getting-Started-Layer-3NAT-and-DHCP/ta-p/69072)
Getting Started: Layer 3
Subinterfaces (/t5/FeaturedArticles/Getting-Started-Layer-3Subinterfaces/ta-p/67395)
Getting Started: Layer 2
Interfaces (/t5/FeaturedArticles/Getting-Started-Layer-2Interfaces/ta-p/68229)
Don't worry if the interfaces box is empty after this changewe'll fix that in the next step.
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 3 of 13
Next, set the Virtual Router to default and the Security Zone to untrust.
Click OK and proceed to ethernet1/2. Set the Interface to Layer3, Virtual Router to default and Security Zone to trust.
In the IPv4 tab, set the IP address of the interface to 10.0.0.1/24 and open the Advanced tab.
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 4 of 13
In this tab, we're going to set a Management Profile which will allow us to ping the interface, which might come in handy if we ever need
to troubleshoot internal network issues. In the Management Profile dropdown, click the Management Profile link:
For now, we will only allow the ping service on the interface.
Return to the interfaces page by clicking OKon the two configuration dialogs. The interfaces page should now look like this:
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 5 of 13
3. Configuring routing
Next, we need to make sure the firewall will be able to reach the Internet, so it will need a default gateway.
1. Navigate to the Network tab.
2. Open Virtual Routers fromthe left pane.
3. Open the default VR (virtual router).
This will bring up the configuration for the Virtual Router we will be using for our new Layer 3 interfaces. It is called a virtual router
because the firewall does not employ one single routing instance, but can have several, all bound to different interfaces. This allows for
routing instances to be very different from each other, and makes network segregation at the routing level possible. For now, we'll stick
to the one we have:
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 6 of 13
We'll set the destination to 0.0.0.0/0, which encompasses all IP subnets that are not connected to the firewall and the egress interface
to ethernet1/1 as this is the outside interface connected to the internet router. Lastly we'll set the router's IP address as the next hop.
4. Configuring DHCP
Our next step will be to enable a DHCP server on the trust interface so any users connecting to the network without a statically
configured IP address can get connected.
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 7 of 13
We'll set the interface to ethernet1/2 as this is the inside interface. To prevent duplicate IP addresses in the network in case someone
has set a static IP address configuration o their workstation, we can enable Ping IP when allocating new IP. This option sends a ping to
an IP address ready to be assigned a host. In case the ping receives a reply, the DHCP server chooses a different IP to assign and repeats
the step. We'll set the Lease to 1 day and the IP Pools to '10.0.0.50-10.0.0.250' to provide users with 201 IP addresses.
In the Options tab, we can configure which default gateway and DNS servers the clients receive when requesting a DHCP address. We
need to set the Gateway as 10.0.0.1 as this its the firewall's internal IP address. I've set the DNS servers as Google's 4.2.2.2 and 8.8.8.8
but you can set your own ISP's DNS servers:
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 8 of 13
Click OK to complete this bit and let's move to the last part where we configure NAT.
5. Configuring NAT
The last part of this setup is to configure Network Address Translation. This will make sure all internal hosts go out to the internet using
the firewall's external IP address as source. This is required as the private network (https://en.wikipedia.org/wiki/Private_network) IP
ranges 10.0.0.0/8 , 172.16.0.0/12 and 192.168.0.0/16 are not routed on the internet and can only be used on a private network behind
a NAT enabled gateway.
Next we'll go to the Original Packet tab, where we'll set the source and destination zones and the destination interface.
1. Click Add to insert a new source zone.
2. Select the trust zone from the dropdown.
3. In the destination zone, choose untrust in the dropdown.
4. For the destination interface, set ethernet1/1, as this is the outside interface.
5. Leave everything else as is and move on to the Translated Packet tab.
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 9 of 13
Lastly, from the Translated Packet tab, we will configure the Source Address Translation.Set the Translation Type to Dynamic IP And
Portto ensure multiple internal clients can make simultaneous outbound connections hidden behind one IP address.
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 10 of 13
Navigate to the Network tab and open Virtual Wires from the left pane. Once there, highlight the default-VWire and click Delete.
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 11 of 13
We have now succesfully switched the firewall from virtual wire to Layer 3 deployment. One caveat to consider is that now the
interfaces are no longer acting as a bump-in-the-wirethey have their own MAC address and some clients. Potentially, the router may
need to have itsARP cache refreshed before the interfacescan succesfully communicate with the firewall.
On a windows host, this can be accomplished by starting a command prompt as administrator
and executing 'arp -d' to clear the ARP cache and 'ipconfig /renew' to obtain a DHCP lease from the new DHCP server.
C:\>arp -d
C:\>ipconfig /renew
Windows IP Configuration
Ethernet adapter lablan:
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
: 10.0.0.50
: 255.255.255.0
: 10.0.0.1
I hope you enjoyed this article. Please feel free to leave any comments below!
Regards,
Tom Piens
If you've enjoyed this article, please also take a look at the follow-up articles:
Everyone's Tags:
(/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/29/tab/all-users)
Yes (https://live.paloaltonetworks.com/t5/tkb/v2/articlepage.tkbmessageviewv2.helpfulnessratingdisplay.ratingenumerationdisplay.link:rating/rating-enum/1/rating-system/tkb_helpfulness/ratin
No (https://live.paloaltonetworks.com/t5/tkb/v2/articlepage.tkbmessageviewv2.helpfulnessratingdisplay.ratingenumerationdisplay.link:rating/rating-enum/0/rating-system/tkb_helpfulness/rating
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 12 of 13
Article Options
Hide Comments
Comments
by rick.wilkerson (/t5/user/viewprofilepage/user-id/9728)
on 02-14-2016 01:09 PM
Nice job, made it bite size for those starting.
by TomDuong (/t5/user/viewprofilepage/user-id/37435)
on 04-18-2016 11:24 AM
Please add instructions for use case of when untrust interface, ethernet1/1, is configured as a DHCP client.
Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/135/tab/all-users)
DHCP/tac-p/76625#M135)
by reaper (/t5/user/viewprofilepage/user-id/7608)
on 09-07-2016 05:15 AM
@TomDuong (/t5/user/viewprofilepage/user-id/37435) ask and ye shall receive! : getting started: firewall as a PPPoE or DHCP client
(/t5/Content-Queue/getting-started-firewall-as-a-PPPoE-or-DHCP-client/ta-p/106059)
Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/250/tab/all-users)
DHCP/tac-p/111230#M250)
by amjadraja (/t5/user/viewprofilepage/user-id/48151)
3 weeks ago
Very Nice Job Reaper. It solved my problem... thanks a lot for sharing this post
Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/296/tab/all-users)
DHCP/tac-p/119117#M296)
Latest Blogs
Events
(https://live.paloaltonetworks.com/t5/Ignite2016-Blog/Our-roundtable-reacts-to-PANOS-7-1-Ignite/ba-p/77011)
Connect
(https://twitter.com/PALiveCommunity)
(https://www.youtube.com/channel/UCPRouch
(http://www.slideshare.net/PaloAlto
(https://www.linkedin.com/company/paloaltonetworks) (https://www.facebook.com/PaloAltoNetworks
knows/ba-p/76941)
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016
Page 13 of 13
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...
11/6/2016