topic Multiple external IP's and Global protect (Not NAT) in General Topics

Multiple external IP's and Global protect (Not NAT)

Quinton — Fri, 25 May 2012 08:18:41 GMT

I did a search on the forums for multiple IP's and found a lot of posts talking about how the Palo deals with multiple external IP's - i.e. if your ISP assigns you a /29 block and you need to NAT multiple application into your network. So basically you pick one IP, load that on the Palo interface and then just do NAT. Palo will ARP for any additional IP's used in NAT rules without the need to load those additional IP's on the Palo interface. I would prefer to load the IP's on the interface regardless of NAT because then you can see which external IP's has been allocated to the Palo.

This post kinda touch on the need to have additional IP's loaded somewhere on the Palo, but it is not for NAT, it’s for Global Protect. How do I go about loading the additional external IP's from the /29 block on the Palo box to use in my Global Protect configuration? - i.e. I need one external IP for the gateway and another for the portal. Or what is the recommended way of setting this up?

Thanks

Re: Multiple external IP's and Global protect (Not NAT)

rmonvon — Fri, 25 May 2012 14:16:59 GMT

Hi...You can load additional IPs onto the interface simply by adding them with a /32 mask to denote a single host. Here's an example of adding .2 and .3 to an existing interface.

For Global Protect, you can assign the IP/32 to a loopback interface. Thanks.

Re: Multiple external IP's and Global protect (Not NAT)

emr_1 — Mon, 28 May 2012 05:55:28 GMT

hi,

I can directly select interface and 32bit IP Address which assigned .1/24 .2/32 .3/32 at GP setting window.

Which is better to use for GP, direct inteface or loopback interface?

I want to the specific reason why you answers using loopback I/F.

Re: Multiple external IP's and Global protect (Not NAT)

mikand — Mon, 28 May 2012 06:48:28 GMT

I think (just guessing) that using loopback would be better in Active/Active situations.

Re: Multiple external IP's and Global protect (Not NAT)

rmonvon — Tue, 29 May 2012 15:01:27 GMT

You can use a loopback interface whenever you don't want to tie it to a physical port and to have more flexibility. You may be connected to several ISPs but don't want to assign an IP/32 to a port in case the port goes down. Using the loopback would allow the IP/32 to be reachable across all ports and not be affected by port goin up & down.

Thanks.

Re: Multiple external IP's and Global protect (Not NAT)

ericgearhart — Tue, 29 Jan 2013 22:09:33 GMT

I know I'm reviving an old thread, but I figured I'd toss this tip in there too in case anyone else stumbles across this thread...

You can also build untagged subinterfaces off a main interface if for some reason you want your multiple assigned IP addresses to be in separate zones

So you can have your main eth1/1 interface, and then have eth1/1.1 be in zone untrust1, eth1/1.2 be in zone untrust2, eth1/1.2 be in zone untrust3, etc.

The "untagged subinterface" part is so that you don't have to convert the interface to a trunk port - the subinterfaces are logically separate, but don't correlate to specific VLANs (which is the normal way one thinks of subinterfaces e.g. on a router with a switch)

Re: Multiple external IP's and Global protect (Not NAT)

AIC_Admin — Mon, 04 Mar 2013 20:36:36 GMT

I cannot seem to duplicate this. I keep getting Operation Failed: units -> ethernet1/1.2 constraints failed : tag is required.

Am I missing a step somewhere? I would like to have a second external ip assigned on a sub-interface of eth 1/1 so that I can manage that traffic differently with an "Untrust-VPN" zone.

Re: Multiple external IP's and Global protect (Not NAT)

AIC_Admin — Mon, 04 Mar 2013 20:56:38 GMT

I found what I needed here for anyone who may need it as I did.