Getting Started - Layer3, NAT, DHCP

Video Activity

Before we get started, I'll outline a few things that may be different in your network that you'll want to note: In the examples below, my ISP has assigned me the internet IP subnet of which I want to start using on the untrust interface of the firewall instead of the router. To achieve this, NAT will need to be disabled and maybe s...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

54 minutes
Video Description

Before we get started, I'll outline a few things that may be different in your network that you'll want to note: In the examples below, my ISP has assigned me the internet IP subnet of which I want to start using on the untrust interface of the firewall instead of the router. To achieve this, NAT will need to be disabled and maybe some other things need to be changed to accomplish this. As the steps to accomplish this will vary, depending on several factors, you may need some assistance from your ISP to reconfigure your router. As it is not absolutely necessary to use a public IP range, you can simply keep using the IP range your ISP provided. Please note these parameters for your network: My router's IP will be: My firewall's IP will be: My firewall's internal IP will be: My client's DHCP range will be:

1. Preparing the zones

To get started, we'll first reconfigure the zones we're currently using for our Virtual Wire so we can reuse the same zones. If you prefer to change the names, you can make new zones or simply rename the existing ones. 1. Navigate to the Network tab.

  1. Open Zones from the left pane.

  2. Proceed to open the trust zone objects and change the Type to Layer3, then click OK. Repeat this for the untrust zone.

2015-10-21_10-57-07.png 2015-10-21_10-57-38.png Don't worry if the interfaces box is empty after this change—we'll fix that in the next step.

2. Preparing the interfaces

  1. Navigate to the Network tab.

  2. Open Interfaces from the left pane. We'll see our 2 VWire interfaces that are already connected to the internet but are currently lacking zone configuration, due to the step above.

  3. Start by opening ethernet1/1, which will be our external, or untrust, interface.

2015-10-21_11-06-38.png On the Interface Type dropdown, change Virtual Wire to Layer3. 2015-10-21_11-09-23.png Next, set the Virtual Router to default and the Security Zone to untrust. 2015-10-21_11-10-37.png Next we'll add an IP address to the interface. 1. Navigate to the IPv4 tab.

  1. Click Add.

  2. Enter the external IP address your ISP provided.

2015-10-21_11-12-55.png Click OK and proceed to ethernet1/2. Set the Interface to Layer3, Virtual Router to default and Security Zone to trust. 2015-10-21_11-16-48.png In the IPv4 tab, set the IP address of the interface to and open the Advanced tab. 2015-10-21_11-16-48.png In this tab, we're going to set a Management Profile which will allow us to ping the interface, which might come in handy if we ever need to troubleshoot internal network issues. In the Management Profile dropdown, click the Management Profile link: 2015-10-21_11-19-20.png For now, we will only allow the ping service on the interface. 2015-10-21_11-23-43.png Return to the interfaces page by clicking OK on the two configuration dialogs. The interfaces page should now look like this: 2015-10-21_11-29-47.png### 3. Configuring routing

Next, we need to make sure the firewall will be able to reach the Internet, so it will need a default gateway. 1. Navigate to the Network tab.

  1. Open Virtual Routers from the left pane.

  2. Open the default VR (virtual router).

2015-10-21_11-33-10.png This will bring up the configuration for the Virtual Router we will be using for our new Layer 3 interfaces. It is called a virtual router because the firewall does not employ one single routing instance but can have several, all bound to different interfaces. This allows for routing instances to be very different from each other, and makes network segregation at the routing level possible. For now, we'll stick to the one we have: 2015-10-21_11-34-53.png Add a static route. 1. Open Static Routes from the left pane.

  1. Click Add to start a new route.

2015-10-21_11-41-24.png We'll set the destination to, which encompasses all IP subnets that are not connected to the firewall and the egress interface to ethernet1/1 as this is the outside interface connected to the internet router. Lastly we'll set the router's IP address as the next hop. 2015-10-21_11-42-25.png### 4. Configuring DHCP

Our next step will be to enable a DHCP server on the trust interface so any users connecting to the network without a statically configured IP address can get connected. 1. Navigate to the Network tab.

  1. Open DHCP from the left pane.

  2. Click Add to start a new DHCP server configuration.

2015-10-21_11-52-50.png We'll set the interface to ethernet1/2 as this is the inside interface. To prevent duplicate IP addresses in the network in case someone has set a static IP address configuration o their workstation, we can enable Ping IP when allocating new IP. This option sends a ping to an IP address ready to be assigned a host. In case the ping receives a reply, the DHCP server chooses a different IP to assign and repeats the step. We'll set the Lease to 1 day and the IP Pools to '' to provide users with 201 IP addresses. 2015-10-21_12-00-58.png In the Options tab, we can configure which default gateway and DNS servers the clients receive when requesting a DHCP address. We need to set the Gateway as as this its the firewall's internal IP address. I've set the DNS servers as Google's and but you can set your own ISP's DNS servers: 2015-10-21_12-02-23.png Click OK to complete this bit and let's move to the last part where we configure NAT.

5. Configuring NAT

The last part of this setup is to configure Network Address Translation. This will make sure all internal hosts go out to the internet using the firewall's external IP address as source. This is required as the private network IP ranges , and are not routed on the internet and can only be used on a private network behind a NAT enabled gateway. 1. Navigate to the Policies tab.

  1. Open NAT from the left pane.

  2. Click Add to create a new NAT policy.

2015-10-21_13-20-03.png We'll give the NAT rule an easy-to-identify name: 2015-10-21_13-21-33.png Next we'll go to the Original Packet tab, where we'll set the source and destination zones and the destination interface. 1. Click Add to insert a new source zone.

  1. Select the trust zone from the dropdown.

  2. In the destination zone, choose untrust in the dropdown.

  3. For the destination interface, set ethernet1/1, as this is the outside interface.

  4. Leave everything else as is and move on to the Translated Packet tab.

2015-10-21_13-24-41.png Lastly, from the Translated Packet tab, we will configure the Source Address Translation. Set the Translation Type to Dynamic IP And Port to ensure multiple internal clients can make simultaneous outbound connections hidden behind one IP address. About the other options— - Dynamic IP comes in handy to hide a group of IP addresses behind another group of IP addresses of equal size. This can happen if a connection is set up with a secondary network where IP addresses may overlap, or where routing to the LAN subnet is not possible.

  • Static IP is usually set if a single host will have exclusive use of a NAT IP address.

2015-10-21_13-26-46.png As Address Type we'll choose to use the Interface Address 2015-10-21_13-34-34.png and select ethernet1/1 2015-10-21_13-35-51.png and select its configured IP address. 2015-10-21_13-36-23.png Click OK to complete the NAT configuration.

6. Cleanup and commit

One last step before we go ahead and commit this configuration is to remove the previously used Virtual Wire object. Navigate to the Network tab and open Virtual Wires from the left pane. Once there, highlight the default-VWire and click Delete. 2015-10-21_13-44-35.png When the default-VWire is deleted, go ahead and commit the configuration. 2015-10-21_13-46-50.png 2015-10-21_13-41-01.png 2015-10-21_13-49-53.png 2015-10-21_13-51-03.png### 7. Refresh client IP and ARP

We have now successfully switched the firewall from virtual wire to Layer 3 deployment. One caveat to consider is that now the interfaces are no longer acting as a bump-in-the-wire—they have their own MAC address and some clients. Potentially, the router may need to have its ARP cache refreshed before the interfaces can successfully communicate with the firewall. On a windows host, this can be accomplished by starting a command prompt as administrator 2015-10-21_13-55-19.png and executing 'arp -d' to clear the ARP cache and 'ipconfig /renew' to obtain a DHCP lease from the new DHCP server. ```

<span style="color:

#ccffcc;">C:>arp -d

<span style="color:

#ccffcc;">C:>ipconfig /renew

<span style="color:

#ccffcc;">Windows IP Configuration

<span style="color:

#ccffcc;">Ethernet adapter lablan:

<span style="color:

#ccffcc;">        Connection-specific DNS Suffix  . :

<span style="color:

#ccffcc;">        IP Address. . . . . . . . . . . . :

<span style="color:

#ccffcc;">        Subnet Mask . . . . . . . . . . . :

<span style="color:

#ccffcc;">        Default Gateway . . . . . . . . . :

Video Transcription
Hi. This is Tommy, the community. And in this video to thoroughly in the getting started Cyrix, we're going to take a look at later tree that th e p
In the previous installment I covered how to set up your management to face, prepare your licenses, download updates and creating your first security policy. So if you haven't seen that video yet, please pause this one and go take a look at that one first, as it might be helpful on continuing into one.
Let's first take a look at ourselves
the last time we were using a viewer, which meant that the external light Beatrice would be used on the inside by our clients. Now we're going to be sitting up the pharaoh in Layer three. It's going to have an external light vigorous using the I P range provided to you by your ice p an internal i p address in the private other space.
So one of the first things we'll need to do is prepare. Our interface is set up now
and add Roddy,
the first thing we're going to do is change our security zone so we can't use them right now. We already have a security policy that we installed last time.
So if you go to network
and zones,
you'll see that these are assigned to the virtual wire. So the first thing we're going to do is going to trust
change the type
two little tree,
then change the interests alone
to live a dream.
No other usable for Leo tree into faces.
Next it
we go to the interfaces
and change them into a tree. Right now, they're both still feet wires.
So interface one is going to be our external interface.
So exchanges into little tree
virtual. Roger, we're going to sit as default all cherry that in a minute.
And then security zone is going to be interest
in the ibv four top. We can change the eye Peter's So we're going to change that 1 98 51 100
uh, to slash 28
and then we're going to repeat that step for it face to.
So we're gonna change this into earlier three interface.
We're going to set this
to the default fertile writer and added to the trust them then and I'd be before
here this is going to be 10 that seo one slash 24 7
and also in the advanced that
we're going to create a management profile.
This is going to allow us spending in the face
in case we need to do some troubleshooting.
The next step is cool, used to configure the virtual either over here
and initial one is called default, but you can rename it into whatever you need.
Plus, you can create additional virtual writers, which allows you to have multiple routing tables assigned to specific interfaces, segregating these interfaces from each other. Right now, we'll just stick to this single one says You only have two interfaces
and we're going to create a default route, which your Pharrell is going to need to get out to the Internet.
So we're gonna name it. Default,
The destination is going to be 0200 slash zero, which basically means everything that you don't have connected locally or have a different route for. Send it out to this next Hope
interface is going to be one slash one, because that's the interesting to fix. The next hope will be in I'd be address. You can
sit routing to different for to Roderick and discard cries, or you can do some other stuff.
Right now we're going to focus upon a simple default. Gateway
2 51 That 101 which is the I P. Address off the router upstream.
Next up, we're going to configure the HCP,
which will allow our clients connected to the local network to receive an I P. Address automatically.
We're going to the tragedy A C p, sir, to interface to she's a trustable mode. Maybe a little explanation here and able will mean that today should be service always on
disable is gonna turn it off, although is going to allow to detect if a different d h e p sir is on your network. Say, for example, you have Windows server
that's acting as a d h cp seven. Right now, it's not a good idea to have to d g P Sievers serving the same network. So having this set to auto mode will make sure that the fire all is going to be able to turn off. It's the HCP server in case it detects a different teacher.
Uh, the I beat bull we're going to be used here, is going to be tended to 50
going to Kendall
We're going to enable being I be when allocating new I P addresses, which will allow for the formal to send out a big request before assigning. And I hear this from its pull. This will prevent any duplicate. I hear this is a network
in the options were going to be able to set a default gateway for your clients, which is going to be the leaders of the fire. All the separate mosque is going to correspond to the segment. Configure it on the internal interface of the farm. The primary Deena's In my case, that's going to be an Internet
Deanna server because I don't have an internal one. If you do have a Windows Dennis ever or something similar, you might want to put your own dina service here.
You can also put any wins or NTP servers in that you require.
If you like, you can also add some custody. It should be offset
before we forget. We'll also need to dig it to the old works for a wire. We're not gonna need it anymore
so we can dig it out.
The last thing we need to do is great in not bossy,
which will ensure that our clients on the local area network will be able to talk to the Internet. This because your external interface is using a external I be this that it's a route through the Internet and the local area network is using a private I p range. That won't be right to return it.
So we're gonna start and create a policy. We'll name it are not
the original back. It is going to be sourced from the trust zone. It's going to go out to be
interest till the destination interface is going to be the face one
we're not gonna filter on any service is.
And since this is a small and simple work, we're not gonna filter on source of destination. I see. This is what you can do this if you have multiple local area networks, want to split up your your natural sze
the destination.
Since this is going to be hide not which will hide all your internal clients beyond one single extra unlikely. There's being the one from the firewall we're going to take dynamic. I'd be import,
we're going to change this duty interface. Others touched that in the trace one.
And then this is it's a Peters
gonna think like a game
and commit this change.
After this committee finishes, you'll be able to connect all your clients and they'll be able to go out to the Internet using your new layers reconfiguration. Thanks for watching. I hope you enjoyed this video. Please feel free to leave a comment
and stay tuned for the next two pieces.
Up Next