https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/165059#M53131 <P>I would second the NAT option. &nbsp;Setup a private subnet for each group of web servers (on their own zones) and then just NAT the traffic. &nbsp;I would create a static by-directional NAT on the PA FW and then setup inbound Security Rules to only allow the inbound traffic to the servers on their proper protocol.</P> Thu, 06 Jul 2017 20:02:18 GMT davanderson 2017-07-06T20:02:18Z https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/164408#M53072 <P>Hi guys,</P><P>&nbsp;</P><P>I hope you can lend me a hand here.</P><P>&nbsp;</P><P>Our ISP finally allocated us a Public /25 (aa.bb.cc.0/25) subnet which will be routed via the&nbsp;existing /30 (xx.yy.zz.2/30) internet link that we have.</P><P>&nbsp;</P><P>We want to split it in half and use the Shared Gateway to route the traffic. The first half is for our webservers in VSYS1 . The other half is for office users who&nbsp;are in VSYS2, which is where we also want our Global Protect to terminate on.</P><P>&nbsp;</P><P>(Before I start breaking things apart)</P><P>&nbsp;</P><P>Q: Because we now have&nbsp;public IPs, should i&nbsp;continue to do all the NATs on the Shared Gteway,&nbsp;OR can I now use each VSYS to do the NAT'ing? We prefer the latter, but I'm not sure what else will break of what else to consider going down this path</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Jul 2017 21:16:18 GMT https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/164408#M53072 SeboDeMacho 2017-07-03T21:16:18Z https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/164579#M53078 <P>Hi,</P><P>&nbsp;</P><P>I guess having NATs in Shared gateway will be more appropriate. If you configure NAT on vsys, there will be routing considerations on the Shared gateway vsys.</P><P>&nbsp;</P><P>Here is an article for a bidirectional NAT involving shared gateway:&nbsp;<A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-Destination-NAT-using-a-VSYS-with-Shared-Gateway/ta-p/55187" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-Destination-NAT-using-a-VSYS-with-Shared-Gateway/ta-p/55187</A></P><P>&nbsp;</P><P>Please see if it helps. You can approach TAC if need any specific help.</P><P>&nbsp;</P><P>Best Regards,</P><P>Abhishek</P> Wed, 05 Jul 2017 03:00:20 GMT https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/164579#M53078 abjain 2017-07-05T03:00:20Z https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/165059#M53131 <P>I would second the NAT option. &nbsp;Setup a private subnet for each group of web servers (on their own zones) and then just NAT the traffic. &nbsp;I would create a static by-directional NAT on the PA FW and then setup inbound Security Rules to only allow the inbound traffic to the servers on their proper protocol.</P> Thu, 06 Jul 2017 20:02:18 GMT https://live.paloaltonetworks.com/t5/general-topics/route-public-ip-range-through-shared-gateway/m-p/165059#M53131 davanderson 2017-07-06T20:02:18Z