2 Messages
Cascade routing mode?
Hello everyone. Hoping anyone can help.
I have seen posts in regards to Cascade mode, but figured, given all the networking variables, I would post mine here to get some thoughts\advice. I have read some documentation on Cascade mode vs IP-Passthrough and honestly the documentation seems dated and incomplete...at least what I found. I thought what I needed was IP-Passthrough, but after reading on here a bit seems like I might be needing Cascade mode to accomplish what I need.
Current situation:
ISP provides managed router service and a block of public addresses used for externally accessible websites.
These addresses are NATed in a Palo Alto firewall directly behind it which then go to those internal servers on 10.1.1.x/24.
Interface on ISP managed router is the Gateway at 10.1.1.1.
Palo Alto e1/1 interface assigned the first useable address in the public block.
Palo Alto e1/2 interface assigned LAN address of 10.1.1.2.
DHCP is handled by internal DHCP (DC) server.
Moving to AT&T on a BGW320-500 with a block on a /27 (76.x.x.x)
Ideally I was hoping to keep the same sort of configuration, but I'm just not sure if that's possible on this device.
Essentially, making the BGW the new gateway , but same network, so it can simply replace the current gateway and keep the same address at 10.1.1.1 putting everything on the same single LAN.
I have seen folks mentioning this is not possible as the BGW has to be on a different private LAN subnet than your internal LAN. Is that accurate?
What I need to accomplish is:
Assign the first new ATT useable public address to e1/1 on the Palo Alto firewall. (76.x.x.200)
Depending on answer to question above in regards to the BGW and private LAN subnet I may need to reconfigure e1/2 to be the new gateway address at 10.1.1.1 rather than 10.1.1.2 of the Palo Alto firewall.
Re-configure all NAT rules in Palo Alto for the 8 new ATT public IP address pointing to internal webservers at 10.1.1.x/24.
Disable DHCP in the BGW so it can continue to be handled by the internal DHCP server for addressing machines in 10.1.1.x/24.
Drawing:
Any help is much appreciated. Thanks
Accepted Solution
JefferMC
ACE - Expert
•
35.9K Messages
12 days ago
Your first problem is that AT&T's Gateway will not allow you to have a Private LAN space in 10.0.0.0/8. They've reserved that for their own CGNAT use and their Gateway's will not let you configure it on a LAN. So, you'll have to use 172.16.0.0/12 or 192.168.0.0/16 for that instead of keeping it at 10.x.x.x.
After that, if your PA firewall will take care of the 1:1 NAT to the block, then yes, cascaded router sounds like exactly what you need.
0
canc000
2 Messages
12 days ago
Gotcha...thanks for the response.
I guess that means I will also need to reconfigure the e1/2 on the PA to now be the gateway address for my LAN at 10.1.1.1. This also leaves me with being unable to manage the BGW remotely unless I'm directly connected to it on the 192.168.x.x network. I'm starting to wonder if this device really isn't meant for business use and should be consumer only.
0
0
JefferMC
ACE - Expert
•
35.9K Messages
12 days ago
It's meant for consumer and "small business" use (whatever that means), for those who don't mind shared fiber, no choice of connecting devices, and very little to nothing in the way of SLAs, and have to have the least-expensive service possible.
0
0