topic Re: Intial Setup Help in General Topics

Intial Setup Help

BRRABill — Sat, 16 Aug 2014 04:04:03 GMT

Hi everyone ... just bought a PA-200, and this is my first experience with this sort of device. A little bit of a learning curve!

I am moving from a Barracuda Link Balancer. This is my setup.

We have 5 public IP addresses, let's say for simplicity sake 173.61.106.10-14. ISP gateway is 173.61.106.1. We have FIOS and all 5 IPs come through 1 cable. The cable goes into a switch. One cable from the switch goes to the Barracuda. The Barracuda manages IPs .10 .11 .12 on it's WAN port. .13 goes to a Wifi device and .14 goes to our VOIP system.

We currently have traffic hitting all 3 public IPs on the Barracuda and being forwarded to our internal LAN. I'd like to keep this as-is.

Couple of questions, because I've gotten conflicting info from the support people I have talked to thus far.

1. Can you have multiple IP addresses on one interface, as I do above with the Barracuda? If so, could I get some basic advise on how to set that up? I've seen "use /32" and "use subinterface" and "you can't do that" on this discussion forum. I'm hoping to get the final answer!

I think if I get the basics of how that would work, that will get me to my next questions.

Thanks in advance!

Re: Intial Setup Help

pulukas — Sat, 16 Aug 2014 12:06:36 GMT

The conflicting answers are because of the nuances of the possible situations.

You can put multiple ip addresses on an interface but they cannot be in the same subnet.

In your situation it just appears that the Barracuda works differently than the Palo Alto. Instead of putting multiple same subnet ip addresses on an interface the Palo Alto and most other firewalls only put one. You then use nat and proxy arp to forward those addresses down to the ultimate server destinations.

You can start with this document to determine what type of nat is best for your scenario.

Understanding PAN-OS NAT

Re: Intial Setup Help

SDorsey — Sat, 16 Aug 2014 13:14:14 GMT

What I have done several times is put a single public ip on the physical interface, then I create a loopback interface which has all of the other /32 addresses. Then create your NAT policies.

You may be able to skip the loopback portion but I have better luck with doing it.

Re: Intial Setup Help

ajbool — Sat, 16 Aug 2014 18:30:30 GMT

Hi Steve,

You can have multiple IPs on an interface in the same subnet - but you don't seem to be able to do it from the GUI. (At least in 5.x - I've not tried in 6.x)

On the CLI; you can specify an additional IP (in the same subnet) on an interface as long as you do not specify any subnet mask.... (The GUI's validity checks ensures the slash of the subnet mask is specified - hence why you can't do this through the GUI.).

Here's an example from a live box,

set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 tag 2

set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 ip 10.20.1.254/18

set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 ip 10.20.1.1

set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 interface-management-profile PingAccess

It took a bit of frantic searching to get this working once; when I moved a LAN to a PA to find half the hosts on the LAN were using .254 for their gateway and the other half using .1!

Cheers,

aid

Re: Intial Setup Help

ajbool — Sat, 16 Aug 2014 18:33:06 GMT

Yeah, you can skip the loopbacks as if an IP address is specified in a NAT rule that is in the same subnet as one of the interfaces of the firewall; the firewall will automatically "proxy arp" for this IP address on that LAN.

Re: Intial Setup Help

BRRABill — Sat, 16 Aug 2014 20:34:18 GMT

Can I use subinterfaces?

I tried reaching out to support, and he had me make a "blank" interface ethernet 1/1 and then a subinterface 1.1 1.2 and 1.3

I'm also having an issue where I cannot get traffic back through my FIOS router because of an ARP issue. I think I have that one figured out, though.

Re: Intial Setup Help

BRRABill — Sat, 16 Aug 2014 20:35:31 GMT

Another question ... can I accomplish this with NAT?

The .10 is going to my desktops, and the .12 is going to a mail server.

My concern is down thee road when I need two things on port 80 (or whatever) that I cannot move.

Re: Intial Setup Help

pulukas — Sat, 16 Aug 2014 21:55:49 GMT

Sub-interfaces are what you use to connect the firewall to a switch trunk port with multiple vlans. This is the PA support for 802.1Q standard trunking. This would not be appropriate for your situation where all these address really are coming in from a single vlan on an untagged port.

Nat is the standard solution to the scenario you have where you want to take your carrier public addresses and forward either the entire address or selective ports to an internal address on your network.

One advantage of this method is that it is easy to change that server address down the road and the outside world never notices. they are still sending the same DNS entry and public address but the firewall simply changes the nat rule to hit a new server.

Re: Intial Setup Help

BRRABill — Sun, 17 Aug 2014 02:07:17 GMT

So with NAT policies on the PA-200 I can plug my FIOS cable into one of the ports and "listen" for all 5 public IPs on that cable?

Re: Intial Setup Help

SDorsey — Sun, 17 Aug 2014 03:32:25 GMT

Yes. And not just with the PAN200, that is how you would typically configure any perimeter firewall.

Re: Intial Setup Help

pulukas — Sun, 17 Aug 2014 11:07:53 GMT

BRRABill wrote:

So with NAT policies on the PA-200 I can plug my FIOS cable into one of the ports and "listen" for all 5 public IPs on that cable?

As mackwage says, nat is the standard procedure for this operation on any firewall. The process works via proxy-arp from the interface facing your carrier. When an interface has the address configured it will automatically respond to requests from the FIOS for that address. Proxy-arp is when an address is used by nat the interface configured with a different address responses for that address. So there is no need for that address to be configured on the interface facing your FIOS.

On the PA when you configure this type of nat rule in the same subnet as the FIOS interface the firewall will automatically take care of the proxy-arp. On other firewalls you may have to specify the interface and ip address you want a proxy-arp to occur.

Re: Intial Setup Help

ericgearhart — Mon, 18 Aug 2014 13:50:12 GMT

You can put mulitple /32s on an interface. Make the first IP you add have the correct subnet mask, and have all additional IPs have a /32. We do this today, right now, in production on our PAs.

Re: Intial Setup Help

ericgearhart — Mon, 18 Aug 2014 13:50:54 GMT

Steven - you have to add IPs to the interface in question, otherwise the interface itself won't ARP out for inbound traffic.

You can put mulitple /32s on an interface. Make the first IP you add have the correct subnet mask, and have all additional IPs have a /32. We do this today, right now, in production on our PAs.

Re: Intial Setup Help

SDorsey — Mon, 18 Aug 2014 13:53:54 GMT

You just had to go and disagree. Now I have to set it up in my lab and test for myself. Lol :smileylaugh:

Re: Intial Setup Help

BRRABill — Tue, 19 Aug 2014 02:03:24 GMT

Well, what did you find out?

Can you see why I am having issues getting this configured? LOL.

Re: Intial Setup Help

ericgearhart — Tue, 19 Aug 2014 13:19:58 GMT

It is confusing, because you could use untagged subinterfaces to achieve the same thing. So there's more than one way to do it, which presents confusion