Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to configure multiple vlans to go through a layer 3 firewall interface

Posted on 2014-09-04
10
Medium Priority
?
2,040 Views
Last Modified: 2015-05-22
Hi there,
I am currently in the process of breaking one big corporate vlan into 3 smaller ones and am having issues with internet connectivity in my lab.

I am using an HP Layer 3 core that will support the 3 corporate vlans as follows:

vlan 10: Building 1 - vlan-interface10 -172.19.0.1/16 (current)
vlan 20: Building 2: vlan-interface20 -172.20.0.1/16 (future)
vlan 30: Building 3: vlan-interface30 - 172.30.0.1/16 (future)

The core has a Palo Alto firewall off of vlan 10 access port that all internet traffic currently passes through.
It's address is 172.19.0.10. The DHCP server is also on vlan 10 and has scopes for all 3 vlans (which are working).

All the LAN routing on the core is simple direct attach routes as everything comes back to the core's vlan-interfaces.

I can't seem to get vlan 20 or 30 to connect to the internet after adding a static 0.0.0.0/0 next-hop 172.19.0.10 route. VLAN 10 works fine.

If i am routing all internet traffic through 172.19.0.10 will it get NATed properly going through a VLAN 10 access port to the firewall's LAN (trust) interface?

Another thing is that i can ping the firewall LAN interface from vlan 10 but not the other vlans but i'm not sure if that is just a security rule.

I've read on using sub-interfaces or using a physical interface on the Palo alto for each vlan and put them all in the same security zone.

Any ideas of how i should do this?

Because
0
Comment
Question by:Graycon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40305200
So if you are wanting the layer 3 interface of a vlan to be the PAN instead of your core router then you need to do sub-interfaces on the PAN and tag the sub-interfaces for those vlans. This approach would separate your 3 vlans by the firewall so they would have to go through the firewall to get to each other.

Are you want to separate your 3 segments by the firewall or just have 3 separate vlans?

Also, do you have IP routing enabled on your core switch?
0
 

Author Comment

by:Graycon
ID: 40305208
Right now my 3 vlans can ping each other (and hosts) through layer 3 routing using vlan-interfaces. Basically I am just hanging the firewall off of one of the layer 2 VLAN 10 access ports. The firewall port itself has an ip address in the same subnet as the vlan 10 network.

I was hoping that by adding the static default route to the core that directs all internet traffic to the firewall IP, it would work. No luck. All addresses coming from that firewall port out the external wan port is supposed to be NATed but because the source IP is a different subnet than that firewall pots subnet, maybe it doesn't work.

I'd like to keep my core doing the routing between vlans, and i think the HP switches are enabled for routing already.
0
 
LVL 3

Accepted Solution

by:
MIRSYS earned 1000 total points
ID: 40305366
You need to add routes to the firewall as well.
When the fw receives the 20 and 30 packets it doesn't know where to reply to.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 3

Expert Comment

by:MIRSYS
ID: 40305367
Also you would need to tell the firewall that vlans 20 and 30 are trusted ranges as well.
And the ping not working is probably a security rule, or because the fw does not know where to route to reply.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 1000 total points
ID: 40305688
As MRSYS says.. try these things..

1. In the virtual router of the PAN, add two more static routes. Example
Destination 172.20.0.1/16 next hop *switch vlan 10 ip*

2. Create a security rule which allows a ping from the internal zone TO the internal zone (same zone as an explicit deny causes it to block intra-zone traffic).

3. If you want to ping the internal interface of the PAN, it needs a mgmt profile which allows ping attached to the internal interface.
0
 

Author Comment

by:Graycon
ID: 40306058
Thanks guys, i'll give the static routes a try.
0
 
LVL 12

Expert Comment

by:Bryant Schaper
ID: 40306335
A diagram may help too, we use a PAN for our network, and behind it we have probably 100 subnets, we use static routes as well to get back and the internal router handles the next hop over learned BGP routes.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40306649
Check that all the addresses are included in the translations.
Some engineers use object-network for NAT translations, some use the interface, some use access list (though uncommon). If you are using object-network, confirm that the 20 and 30 networks are included. Interface includes everything going through it.

Confirm return routes exists on the firewall as mentioned above (by MIRSYS)
a route to 172.0.0.0 0 through 172.19.0.1 should do the trick

Run a tracert from a pc to the internet eg 4.2.2.2 to determine if the path is routed as desired

Check NAT translations to confirm the addresses are translated correctly
0
 

Author Closing Comment

by:Graycon
ID: 40319692
thanks guys. the static routes on the PAN worked!
0
 

Expert Comment

by:SteveMartens
ID: 40792234
This just solved my problem as well, thanks for the solutions!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question