Lab 3 - Extending Connectivity to Internet cont to LAB 2

 As we have seen in earlier LAB i.e LAB 2 using palo alto layer 2 interface we were able to control traffic between subnets.Now in this case we can want to extend connectivity so that PC1,PC2 and PC3 can reach ISP Router.

Diagram

Interface Config 

L3 Vlan 

Zones 

Vlans

Virtual Routers

Configuration for L2 switch is same as earlier LAB

 

On PC1 , PC2 and PC3 add default route pointing to l2 vlan 1 ( 192.168.0.1)

Verification

PC1#ping 5.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

PC1#ping 192.168.20.100 re

PC1#ping 192.168.20.100 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:

...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 97 percent (97/100), round-trip min/avg/max = 1/1/9 ms

LAB 2 - Layer 2 Single IP subnet with Multiple vlan’s and rewriting vlan tags .

Layer 2 Single IP with Multiple vlan’s and rewriting vlan tags

As we can see  in below diagram we have used same IP subnet that has span's in multiple vlan’s.Using Palo alto L2 interface mode we can secure traffic between Vlan’s.

Diagram

Interfaces config 

Zone Config.

Vlan Config.

Security Policy 

In below security policy we can see that ping application is allowed to talk from vlan 100 to vlan 200 and vlan 300.

L2 Switch Config

eth0/0 is trunk is trunk interface.

eth0/1 , eth0/2 and eth0/3 is access ports.

Verification

Ping from PC1 (192.168.10.100) To PC2 (192.168.20.100)

Ping from PC2 (192.168.20.100) To PC1 192.168.10.100 failing  

-------------------------------------------------- ---------------END-----------------------------------------------------------------------------

Lab 1 - Intervlan Routing in Palo Alto Firewall.

  Intervlan Routing in Palo Alto Firewall.

In Palo Alto firewall using Layer 3 interface type and creating sub interfaces  we can do intervlan routing. 

As shown in below diagram 

eth1/1 is egress interface facing internet

eth1/2 is ingress interface facing LAN

Configuration of Zone

Configuration of VR

Configuration of Interfaces looks like -

L2 Switch configuration

On L2 Switch

 

int eth0/0

Switchport mode trunk

Switchport trunk encap dot1q

 

int eth0/1

Switchport mode access

Switchport access vlan 100

 

int eth0/2

Switchport mode access

Switchport access vlan 200

 

int eth0/3

Switchport mode access

Switchport access vlan 300

 

Configuration on PC1 , PC2 and PC3 

PC1

int eth0/0

ip address 192.168.10.100 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.10.1 ( L3 on PA eth1/2.100)

PC2

int eth0/0

ip address 192.168.20.100 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.20.1 ( L3 on PA eth1/2.200)

PC3

int eth0/0

ip address 192.168.30.100 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.30.1 ( L3 on PA eth1/3.200)

Verification 

From PC1 ping 5.5.5.5 loopback on ISP

GRE ( Generic Routing Encapsulation )

 GRE is using to build logical connection over untrusted network. 

Why we need to use GRE ? 

There might be infrastructure where requirement does not get met using protocol being used or it lacks routing information to route packet or it des not support multicast or broadcast in such cases we can make of GRE.

 Private IP address used on remote side packets can get routed across other site by using GRE as it encapsulates packet inside new header and reaching ther end it decap it and route packet accordingly.

With support for multicast traffic hello messages created by protocol reaches remote side using GRE tunnel. 

Use Case ?

To establish remote connectivity between two  sites over public internet for example Internet.

In that scenario GRE creates a logical tunnel between two sites during communication packet destined to destination network gets encapsulated in new IP header , GRE adds 24 byte extra header.

 

 

 

 

In above Diagram GRE is Setup between Firewall 1 and 2.

Packet Capture 

When R2 ( HOST IP – 192.168.3.2) try to ping  R4 ( HOST IP – 192.168.2.2).

There is default route on R2 that will send traffic to FW ETH2 ( 192.168.3.1)

Firewall will do route lookup  for destination IP 192.168.2.2.

It will find static route  for network 192.168.2.0 pointing to Tunne1.

Packet gets encapsulated by Tunnel1 as by default interface type for Tunnel is GRE.

GRE Adds 24 Bytes header -  20 Byte IP header and 4 Byte GRE.

As show in below screen shot ICMP request packet is handed over to IP header with SRC IP 192.168.3.2 and DST 192.168.2.2

Once it reaches Tunnel interface GRE header of 4 bytes is added and IP header of 20 byte with source IP 1.1.1.1 and DST IP 2.2.2.1 is added.

Then firewall again does routing lookup to find 2.2.2.2 it goes to egress interface and reverse process happen.

 

Below is image showing GRE and IP header adding 4 bytes and 20 bytes.