https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/596#M458 <HTML><HEAD></HEAD><BODY><P>VWIRE is funny when you start to think how you can use it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Otherwise if you have a public iprange assigned to you by your ISP you usually use a rfc1918 network as linknet between you and your ISP and the ISP will then route your public range to your private ip address of your router/firewall.</P><P></P><P>Like so (example):</P><P></P><P>interface:</P><P>You: 10.0.0.1/30</P><P>ISP: 10.0.0.2/30</P><P></P><P>routing:</P><P>ISP: x.x.x.x/x nexthop 10.0.0.1</P><P>You: 0.0.0.0/0 nexthop 10.0.0.2 (default route)</P></BODY></HTML> Thu, 01 Nov 2012 07:37:14 GMT mikand 2012-11-01T07:37:14Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/592#M454 <HTML><HEAD></HEAD><BODY><P>We have a number of IPs assigned by our ISP.&nbsp; I have been told that I can set incoming NAT rules for the IP addresses even if they are not "assigned" to the public facing interface.&nbsp; Is that accurate?</P><P></P><P>Thanks,</P><P>Bob</P></BODY></HTML> Tue, 30 Oct 2012 00:41:13 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/592#M454 BobW 2012-10-30T00:41:13Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/593#M455 <HTML><HEAD></HEAD><BODY><P>Yes, you can use NAT even in VWIRE mode.</P><P></P><P>The NAT is just to manipulate the srcip and/or dstip (along with srcport and/or dstport) of a packet before it gets further in the process-chain.</P><P></P><P>In order for this to work the packet must obivously be sent through your PA device and the PA device must have something to trigger on (for example if dstip=1.1.1.1 then change dstip to 2.2.2.2).</P></BODY></HTML> Tue, 30 Oct 2012 06:40:26 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/593#M455 mikand 2012-10-30T06:40:26Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/594#M456 <HTML><HEAD></HEAD><BODY><P>Yes, Bob, your ISP is correct is the short answer. What I would do as a starting point is to look at the IP addresses and subnet mask they have given you. Work out the size of the subnet they have allocated you and all the possible IPs in that block. Discount the network and broadcast addresses, then make a note of the IP in the block you're using for your main firewall interface and then the IP they have give you as a gateway. Whatever IPs left should be free for you to use, assuming they've not used any more and not told you.</P><P></P><P>You can then create policy objects with IPs from the range and then create NAT rules to forward the traffic into your network. Once the NAT rule is in place, the firewall will automatically respond to traffic destined for that IP. No extra configuration is required at the interface level.</P><P></P><P>Your NAT rule would be something like:</P><P></P><P>Soure Zone: Internet</P><P>Dest Zone: Internet</P><P>Source Address: Any</P><P>Dest Address: [policy object with ext ip you want to use]</P><P>Service: Any</P><P>Source Trans: None</P><P>Dest Tran: [policy object of internal device using internal IP]</P><P></P><P>The source and destination zone both being Internet / Untrust is the bit that can trip people up. It's because from the point of view of the external user they are making contact with you an external, public IP and technically they don't know it's destination is internal or going to get NAT'd.</P><P></P><P>Hope that all makes sense!</P><P></P><P>UKRB. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Wed, 31 Oct 2012 11:49:00 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/594#M456 UKRB 2012-10-31T11:49:00Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/595#M457 <HTML><HEAD></HEAD><BODY><P>Thanks for your replies.&nbsp; It makes more sense when I look at the packet flow process.&nbsp; So really I don't need any external IP addresses at all!</P><P>Bob</P></BODY></HTML> Wed, 31 Oct 2012 21:23:31 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/595#M457 BobW 2012-10-31T21:23:31Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/596#M458 <HTML><HEAD></HEAD><BODY><P>VWIRE is funny when you start to think how you can use it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Otherwise if you have a public iprange assigned to you by your ISP you usually use a rfc1918 network as linknet between you and your ISP and the ISP will then route your public range to your private ip address of your router/firewall.</P><P></P><P>Like so (example):</P><P></P><P>interface:</P><P>You: 10.0.0.1/30</P><P>ISP: 10.0.0.2/30</P><P></P><P>routing:</P><P>ISP: x.x.x.x/x nexthop 10.0.0.1</P><P>You: 0.0.0.0/0 nexthop 10.0.0.2 (default route)</P></BODY></HTML> Thu, 01 Nov 2012 07:37:14 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ips-on-public-facing-interface/m-p/596#M458 mikand 2012-11-01T07:37:14Z