topic Re: Multiple Public IP's on External Interface in General Topics

Multiple Public IP's on External Interface

tohoken — Tue, 31 May 2011 04:43:47 GMT

All,

I apologize if this has been asked before but I couldn't find anything related to my specific question. I am a newbie when it comes to firewalls in general. We are going to be migrating from ISA to the PA firewall shortly and I have a question about public IP's assigned to the outside(untrust) interface. On the ISA we "attach" all the public IP addresses to the outside facing interface so ISA can "listen" and respond to traffic destined for that IP address. From my reading it appears the PA doesn't need to have all the public IP's assigned to the outside interface as it will respond based on the subnet mask. For example, if I assign x.x.x.2/28 to the outside interface it will respond to traffic destined for any IP address in that range, is that correct? If so, would there be an issue if our outside router is using x.x.x.1? Would that appear to be two devices responding to traffic on the same IP?

If the PA will respond to all IP's in the subnet, how do I go about forwarding traffic based on a certain public IP? For example, our OWA server uses x.x.x.3 and a totally different IP in the trusted network. I also have multiple webservers that have different public IP's within our assigned range. Our public DNS records direct traffic to those IP's.

Without explicitly being listed, will the PA respond to all public IP traffic based on the subnet? Do I then create static NAT rules to direct all inbound traffic based on which public IP the traffic is hitting?

Hope this makes sense. Like I said, I am coming from ISA where the configs are wizard driven so even a newbie can set that up. ISA also doesn't use inbound NAT the way PA does as it does a reverse proxy so inbound NAT is kinda foreign to me. Thanks for any help that can be provided.

Ken

Re: Multiple Public IP's on External Interface

rapoint_person — Tue, 31 May 2011 08:19:23 GMT

Well, you are almost right

Yes, the PAN-device can and must exist within the same subnet as your default gateway (Palo IP *.2 vs default gw IP *.1). No, it doesn't "listen" to all available public IP's (proxy-arp for those IPs in the public subnet). It does however proxy-arp (listen) for for those IP's where you explicitly create NAT-policies.

You can create NAT-policies by having loads of IP's on your public (internet facing) interface. Another, more practical approach would be to have address book entries for both the public and private IP of the servers/hosts you wan't to NAT between. Example:

OWA_Pub = 195.x.y.5/32

OWA_Priv = 10.x.y.5/32

NAT policy to access OWA could look like:

From: Untrust_Zone To: Untrust_Zone From: ANY (IP) To: OWA_Pub NAT: Destination OWA_Priv

Security Policy could look like:

From: Untrust_Zone To: Trust_Zone From: ANY (IP) To: OWA_Pub Action: Allow

Re: Multiple Public IP's on External Interface

tohoken — Tue, 31 May 2011 15:21:18 GMT

Thanks for the information. That is exactly what I needed. So the PA will only "listen", proxy-arp, on the public IP's I have a NAT policy. This is the piece that I was missing.

Ken

Re: Multiple Public IP's on External Interface

migration — Tue, 07 Jun 2011 10:02:57 GMT

If we all were started with NetFilter....and not with something wizard-based everything firewall related would be much more clear 🙂

Re: Multiple Public IP's on External Interface

Quinton — Thu, 03 May 2012 08:26:53 GMT

Let's say for example you do not NAT (i.e. IP forwarding). How would one go about loading multiple IP's on a single ethernet port?

Re: Multiple Public IP's on External Interface

Quinton — Sat, 26 May 2012 12:25:34 GMT

Sorry my question was answered in another post.

https://live.paloaltonetworks.com/thread/4963