Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 1 of 13

(/)

Get Support (/t5/custom/page/page-id/Support)

Register (https://live.paloaltonetworks.com/t5/custom/page/page-id/Register?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FFeatured-Articles%2FGettingStarted-Layer-3-NAT-and-DHCP%2Fta-p%2F66999)
Sign In (https://live.paloaltonetworks.com/twzvq79624/plugins/common/feature/saml/doauth/post?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%
2FFeatured-Articles%2FGetting-Started-Layer-3-NAT-and-DHCP%2Fta-p%2F66999)
FAQs (/t5/help/faqpage)

Features

(https://live.paloaltonetworks.com/t5/Features/ct-p/Features)

Discussions

Knowledge Base

(https://live.paloaltonetworks.com/t5/Knowledge-Base/ct-p/Topics)

Tools

(https://live.paloaltonetworks.com/t5/Tools/ct-p/Tools)

Live (/) > Features (/t5/Features/ct-p/Features) > Welcome to Live (/t5/Welcome-to-Live/ct-p/Community_Features) >

Featured Articles (/t5/Featured-Articles/tkb-p/FeaturedArticles)

Featured Articles (/t5/Featured-Articles/tkb-p/FeaturedArticles) >

Community

Search

Getting Started: Layer 3, NAT, and DHCP

by reaper (/t5/user/viewprofilepage/user-id/7608) on 10-21-2015 05:02 PM - edited on 10-05-2016 06:35 PM by editeur

(43,422 Views)
(/t5/user/viewprofilepage/user-id/27630)
Labels: Getting Started (/t5/Featured-Articles/tkb-p/FeaturedArticles/label-name/getting%20started?labels=getting+started)

I've unpacked my firewall and did what you told me, now what?

In the previous installment, Getting StartedPreparing the Firewall, I've unpacked my firewall, now what?, (/t5/Featured-

Articles/Getting-Started-Preparing-the-Firewall/ta-p/66582) we described the first steps after unpacking your firewall and getting it
up and running. This week, we'll take a look at where to go from here and configure Layer 3 interfaces, set up proper routing, and
enableNAT so the firewall can function as an internet gateway.

Before we get started, I'll outline a few things that may be different in your network that you'll want to note:
In the examples below, my ISP has assigned me the internet IP subnet of 198.51.100.0/28 which I want to start using on the untrust

interface of the firewall instead of the router. To achieve this, NAT will need to be disabled and maybe some other things need to be

changed to accomplish this. As the steps to accomplish this will vary, depending on several factors, you may need some assitance from
your ISP to reconfigure your router. As it is not absolutely necessary to use a public IP range, you can simply keep using the IP range
your ISP provided.

Please note these parameters for your network:

My router's IP will be: 198.51.100.1

My firewall's IP will be: 198.51.100.2

My firewall's internal IP will be: 10.0.0.1

My client's DHCP range will be: 10.0.0.50-10.0.0.250

1. Preparing the zones

To get started, we'll first reconfigure the zones we're currently using for our Virtual Wire so we can reuse the same zones. If you prefer
to change the names, you can make new zones or simply rename the existing ones.

1. Navigate to the Network tab.

2. Open Zones from the left pane.
3. Proceed to open the trust zone objects and change the Type to Layer3, then click OK. Repeat this for the untrust zone.

(/t5/custom/page/page-id/Register)

Labels

ACC (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
API (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

App-ID (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

Authentication (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
AutoFocus (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

BrightCloud (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
Cloud (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

Configuration (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
counters (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

custom report (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

dataplane (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

dos_protection (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
dotw (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

Endpoint (/t5/Featured-Articles/tkb-p/FeaturedArticles/label
esm (/t5/Featured-Articles/tkb-p/FeaturedArticles/label

Next
(https://live.paloaltonetworks.com/t5/FeaturedArticles/Getting-Started-Layer-3-NAT-andDHCP/ta-p/66999/page/2/showcomments/true)

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 2 of 13
Contributors
(/t5/user/viewprofilepage/userid/7608)
reaper
(/t5/user/viewprofilepage/userid/7608)

(/t5/user/viewprofilepage/userid/27630)
editeur
(/t5/user/viewprofilepage/userid/27630)

Recommendations
Getting Started Layer 3, NAT,
and DHCP (/t5/FeaturedArticles/Getting-Started-Layer-3NAT-and-DHCP/ta-p/69072)
Getting Started: Layer 3
Subinterfaces (/t5/FeaturedArticles/Getting-Started-Layer-3Subinterfaces/ta-p/67395)
Getting Started: Layer 2
Interfaces (/t5/FeaturedArticles/Getting-Started-Layer-2Interfaces/ta-p/68229)
Don't worry if the interfaces box is empty after this changewe'll fix that in the next step.

2. Preparing the interfaces

1. Navigate to the Network tab.
2. OpenInterfaces fromthe left pane.We'll see our 2 VWire interfaces that are already connected to the internet but are currently
lacking zone configuration, due to the step above.
3. Start by opening ethernet1/1, which will be our external, or untrust, interface.

Getting Started: Firewall as a

PPPoE or DHCP Clien...
(/t5/Featured-Articles/GettingStarted-Firewall-as-a-PPPoE-orDHCP-Client/ta-p/106059)
Getting Started: Network
Address Translation (NAT)
(/t5/Featured-Articles/GettingStarted-Network-AddressTranslation-NAT/ta-p/116340)
Getting Started: Flow Basic
(/t5/Featured-Articles/GettingStarted-Flow-Basic/ta-p/72556)
Getting Started: VPN
(/t5/Featured-Articles/GettingStarted-VPN/ta-p/68931)

On the Interface Type dropdown, change Virtual Wire to Layer3.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 3 of 13

Next, set the Virtual Router to default and the Security Zone to untrust.

Next we'll add an IP address to the interface.

1. Navigate to the IPv4 tab.
2. Click Add.
3. Enter the external IP address your ISP provided.

Click OK and proceed to ethernet1/2. Set the Interface to Layer3, Virtual Router to default and Security Zone to trust.

In the IPv4 tab, set the IP address of the interface to 10.0.0.1/24 and open the Advanced tab.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 4 of 13

In this tab, we're going to set a Management Profile which will allow us to ping the interface, which might come in handy if we ever need
to troubleshoot internal network issues. In the Management Profile dropdown, click the Management Profile link:

For now, we will only allow the ping service on the interface.

Return to the interfaces page by clicking OKon the two configuration dialogs. The interfaces page should now look like this:

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 5 of 13

3. Configuring routing
Next, we need to make sure the firewall will be able to reach the Internet, so it will need a default gateway.
1. Navigate to the Network tab.
2. Open Virtual Routers fromthe left pane.
3. Open the default VR (virtual router).

This will bring up the configuration for the Virtual Router we will be using for our new Layer 3 interfaces. It is called a virtual router

because the firewall does not employ one single routing instance, but can have several, all bound to different interfaces. This allows for

routing instances to be very different from each other, and makes network segregation at the routing level possible. For now, we'll stick
to the one we have:

Add a static route.

1. Open Static Routes from the left pane.
2. Click Add to start a new route.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 6 of 13

We'll set the destination to 0.0.0.0/0, which encompasses all IP subnets that are not connected to the firewall and the egress interface
to ethernet1/1 as this is the outside interface connected to the internet router. Lastly we'll set the router's IP address as the next hop.

4. Configuring DHCP
Our next step will be to enable a DHCP server on the trust interface so any users connecting to the network without a statically
configured IP address can get connected.

1. Navigate to the Network tab.

2. OpenDHCP fromthe left pane.
3. Click Add to start a new DHCP server configuration.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 7 of 13

We'll set the interface to ethernet1/2 as this is the inside interface. To prevent duplicate IP addresses in the network in case someone

has set a static IP address configuration o their workstation, we can enable Ping IP when allocating new IP. This option sends a ping to

an IP address ready to be assigned a host. In case the ping receives a reply, the DHCP server chooses a different IP to assign and repeats
the step. We'll set the Lease to 1 day and the IP Pools to '10.0.0.50-10.0.0.250' to provide users with 201 IP addresses.

In the Options tab, we can configure which default gateway and DNS servers the clients receive when requesting a DHCP address. We
need to set the Gateway as 10.0.0.1 as this its the firewall's internal IP address. I've set the DNS servers as Google's 4.2.2.2 and 8.8.8.8
but you can set your own ISP's DNS servers:

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 8 of 13

Click OK to complete this bit and let's move to the last part where we configure NAT.

5. Configuring NAT
The last part of this setup is to configure Network Address Translation. This will make sure all internal hosts go out to the internet using
the firewall's external IP address as source. This is required as the private network (https://en.wikipedia.org/wiki/Private_network) IP

ranges 10.0.0.0/8 , 172.16.0.0/12 and 192.168.0.0/16 are not routed on the internet and can only be used on a private network behind
a NAT enabled gateway.

1. Navigate to the Policies tab.

2. Open NAT from the left pane.
3. Click Add to create a new NAT policy.

We'll give the NAT rule an easy-to-identify name:

Next we'll go to the Original Packet tab, where we'll set the source and destination zones and the destination interface.
1. Click Add to insert a new source zone.
2. Select the trust zone from the dropdown.
3. In the destination zone, choose untrust in the dropdown.
4. For the destination interface, set ethernet1/1, as this is the outside interface.
5. Leave everything else as is and move on to the Translated Packet tab.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 9 of 13

Lastly, from the Translated Packet tab, we will configure the Source Address Translation.Set the Translation Type to Dynamic IP And

Portto ensure multiple internal clients can make simultaneous outbound connections hidden behind one IP address.

About the other options

Dynamic IPcomes in handy to hide a group of IP addresses behind another group of IP addresses of equal size. This can happen if
a connection is set up with a secondary network where IP addresses may overlap, or where routing to the LAN subnet is not
possible.
Static IP is usually set if a single host will have exclusive use of a NAT IP address.

As Address Type we'll choose to use the Interface Address

and select ethernet1/1

and select its configured IP address.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 10 of 13

Click OK to complete the NAT configuration.

6. Cleanup and commit

One last step before we go ahead and commit this configuration is to remove the previously used Virtual Wire object.

Navigate to the Network tab and open Virtual Wires from the left pane. Once there, highlight the default-VWire and click Delete.

When the default-VWire is deleted, go ahead and commit the configuration.

7. Refresh client IP and ARP

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 11 of 13

We have now succesfully switched the firewall from virtual wire to Layer 3 deployment. One caveat to consider is that now the

interfaces are no longer acting as a bump-in-the-wirethey have their own MAC address and some clients. Potentially, the router may
need to have itsARP cache refreshed before the interfacescan succesfully communicate with the firewall.
On a windows host, this can be accomplished by starting a command prompt as administrator

and executing 'arp -d' to clear the ARP cache and 'ipconfig /renew' to obtain a DHCP lease from the new DHCP server.
C:\>arp -d
C:\>ipconfig /renew
Windows IP Configuration
Ethernet adapter lablan:
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .

DNS
. .
. .
. .

Suffix
. . . .
. . . .
. . . .

.
.
.
.

:
: 10.0.0.50
: 255.255.255.0
: 10.0.0.1

I hope you enjoyed this article. Please feel free to leave any comments below!
Regards,

Tom Piens
If you've enjoyed this article, please also take a look at the follow-up articles:

I've unpacked my firewall and want to configure VLANs subinterfaces (/t5/Featured-Articles/Getting-Started-layer3subinterfaces/ta-p/67395)

Ive unpacked my firewall, but where are the logs? (/t5/Featured-Articles/Getting-Started-Logging/ta-p/67638)

Everyone's Tags:

default_route (/t5/tag/default_route/tg-p/board-id/FeaturedArticles) DHCP_lease (/t5/tag/DHCP_lease/tg-p/board-id/FeaturedArticles)

getting_started (/t5/tag/getting_started/tg-p/board-id/FeaturedArticles) gtsd (/t5/tag/gtsd/tg-p/board-id/FeaturedArticles)
nat (/t5/tag/nat/tg-p/board-id/FeaturedArticles)
View All (12)

(/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/29/tab/all-users)

8 of 8 people found this article helpful.

Did you find this article helpful?

Yes (https://live.paloaltonetworks.com/t5/tkb/v2/articlepage.tkbmessageviewv2.helpfulnessratingdisplay.ratingenumerationdisplay.link:rating/rating-enum/1/rating-system/tkb_helpfulness/ratin

No (https://live.paloaltonetworks.com/t5/tkb/v2/articlepage.tkbmessageviewv2.helpfulnessratingdisplay.ratingenumerationdisplay.link:rating/rating-enum/0/rating-system/tkb_helpfulness/rating

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Page 12 of 13

Article Options
Hide Comments

Comments
by rick.wilkerson (/t5/user/viewprofilepage/user-id/9728)
on 02-14-2016 01:09 PM
Nice job, made it bite size for those starting.

Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/102/tab/all-users)

DHCP/tac-p/72834#M102)

by TomDuong (/t5/user/viewprofilepage/user-id/37435)
on 04-18-2016 11:24 AM

Please add instructions for use case of when untrust interface, ethernet1/1, is configured as a DHCP client.
Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/135/tab/all-users)
DHCP/tac-p/76625#M135)

by reaper (/t5/user/viewprofilepage/user-id/7608)
on 09-07-2016 05:15 AM

@TomDuong (/t5/user/viewprofilepage/user-id/37435) ask and ye shall receive! : getting started: firewall as a PPPoE or DHCP client
(/t5/Content-Queue/getting-started-firewall-as-a-PPPoE-or-DHCP-client/ta-p/106059)
Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/250/tab/all-users)
DHCP/tac-p/111230#M250)

by amjadraja (/t5/user/viewprofilepage/user-id/48151)
3 weeks ago

Very Nice Job Reaper. It solved my problem... thanks a lot for sharing this post
Permalink (/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and1 (/t5/kudos/messagepage/board-id/FeaturedArticles/message-id/296/tab/all-users)
DHCP/tac-p/119117#M296)

Latest Blogs

(http://www.paloaltonetworks.com) Weekly Recap 45

Events

Join Fuel @ Spark User Summits in NYC,

(https://live.paloaltonetworks.com/t5/Community- Toronto & London (2016)
Blog/Weekly-Recap-45/ba-p/123077)
(https://live.paloaltonetworks.com/t5/LiveHow do you like the NEW community -- in ...
Community-Events-Blog/Join-Fuel-SparkUser-Summits-in-NYC-Toronto-amp-LondonWeekly Recap 44
2016/ba-p/77319)
(https://live.paloaltonetworks.com/t5/CommunityBlog/Weekly-Recap-44/ba-p/121292)
Our roundtable reacts to PAN-OS 7.1 @ Ignite
Easier access -- in your language. Exper...

(https://live.paloaltonetworks.com/t5/Ignite2016-Blog/Our-roundtable-reacts-to-PANOS-7-1-Ignite/ba-p/77011)

Connect

(https://twitter.com/PALiveCommunity)
(https://www.youtube.com/channel/UCPRouch
(http://www.slideshare.net/PaloAlto

(https://www.linkedin.com/company/paloaltonetworks) (https://www.facebook.com/PaloAltoNetworks

New Live enhancements give you what you

want, faster, and in your preferred language
Jeff, Tom, Kim, and Joe react to Ignite ...
(https://live.paloaltonetworks.com/t5/CommunityBlog/New-Live-enhancements-give-youWhat happened @ Ignite, everyone knows
what-you-want-faster-and-in(https://live.paloaltonetworks.com/t5/Igniteyour/ba-p/121630)
2016-Blog/What-happened-Ignite-everyoneWe're releasing some significant improve...

knows/ba-p/76941)

More great pics from the cybersecurity c...

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016

Getting Started: Layer 3, NAT, and DHCP - Live Community

Copyright 2007 - 2016 - Palo Alto Networks

Privacy Policy (https://www.paloaltonetworks.com/legal/privacy.html)

Page 13 of 13

Terms of Use (/t5/user/UserTermsOfServicePage)

(http://www.lithium.com/brandnation)

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-...

11/6/2016