topic Is it possible to use public IPs on the same subnet on different interfaces? in General Topics

Is it possible to use public IPs on the same subnet on different interfaces?

asia — Wed, 16 Feb 2011 17:54:42 GMT

Hello,

We want to use inbound NAT in different VSYS on a PAN 4020 device. The question is, is it possible to use adresses(mip equivalent on netscreen devices) from the same subnet on different phisycal interfaces in different vsys? On netscreen devices we must split adresses in different subnets and make routing on network routers behind the firewall, is the same condition present on Palo Alto devices or we can make it work without this kind of segmentation.

Thank you for your answers.

Regrd's.

Re: Is it possible to use public IPs on the same subnet on different interfaces?

reaper — Thu, 17 Feb 2011 12:42:06 GMT

yes this is possible, but it requires a separate virtual router per physical interface in the same subnet.

Since you are working with multiple vsys you will already have a separate VR from the one that holds the original IP subnet, so you can create an interface in the same subnet as the first VR

regards

Tom

Re: Is it possible to use public IPs on the same subnet on different interfaces?

brownn — Mon, 04 Jul 2011 20:31:30 GMT

Hi,

Along the same lines as this is it ok to have 2 seperate vrouters (same vsys), each with an interface attached to the same subnet and with the interfaces assigned the same zone?

Many thanks

Re: Is it possible to use public IPs on the same subnet on different interfaces?

bryan — Wed, 06 Jul 2011 04:25:19 GMT

Hello,

As far as whether or not this is possible, yes. You can create (2) unique VR's within the same vsys (assigning each physical L3 interface to their designated VR's), assign IP's to each of the L3 interfaces on the same subnet, with both interfaces (seperate VR's) assigned to the same zone. (as long as the IP's do not conflict as the PAN will not allow you to commit).

As far as functionality/expected behavior, I'd suggest implementing/experimenting with this configuration in a test environment.

Regards,

Bryan

Re: Is it possible to use public IPs on the same subnet on different interfaces?

brownn — Wed, 06 Jul 2011 15:29:43 GMT

Thanks bryan,

I assumed it was possible as well but when I tried it an incoming service that was dst NAT'd broke and I have yet to figure out why. There was a gap in the log traffic until I had removed the changes so basically the Palo was not seeing the incoming traffic from the Internet for this particular service. The only thing I could think of was that maybe the Palo started to proxy-arp out of the new interface hence pulling traffic into the wrong vrouter. It was just a theory and not one I can prove without breaking the environment again at the moment! I need to schedule an out-of-hours change to try again.

Re: Is it possible to use public IPs on the same subnet on different interfaces?

bsanders — Mon, 24 Oct 2011 20:50:48 GMT

Hi,

We have built a similar config, but on 1 vsys with 4 ip adresses in one subnet on the public interface.

At first we were only able to configure this using the primary IP with a /29 subnet and the other 3 IP adresses with a /32 subnetmask.

Not the cleanest configuration of course. Eventually we found out that it is possible to configure just one IP address with /29 and just configure the other adresses using the NAT configuration.

This seems to work perfectly fine. Probably not a direct answer, but it might push others in the right direction.

Best regards,

Bas Sanders