https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177333#M55318 <P>Hi Myasin,</P><P>&nbsp;</P><P>What might be a solution for you would be to created a loopback interface and assign it an IP. You can then add all your globalprotect (GP) configuration to this loopback.</P><P>&nbsp;</P><P>Then with a destination NAT rule you can say that traffic for your 2nd public IP will be destination NAT to your loopback for access to the GP portal/gateway. The device will proxy ARP for the 2nd public IP configurated on the NAT rule.</P><P>&nbsp;</P><P>These links to the documentation can explain more</P><P>&nbsp;</P><P>proxy ARP:</P><P><A href="https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules#_60332" target="_blank">https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules#_60332</A></P><P>&nbsp;</P><P>GP on loopback:</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-on-Loopback-Interface/ta-p/56866" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-on-Loopback-Interface/ta-p/56866</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>hope this helps,</P><P>Ben</P> Mon, 18 Sep 2017 13:24:52 GMT bmorris1 2017-09-18T13:24:52Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/176864#M55244 <P>Hi</P><P>&nbsp;</P><P>I got a new internet connection through router, the firewall-router connection use private subnet, but I got a public subnet from provider which I will route to the firewall private IP.</P><P>Since I will configure SSL-VPN, then I have to assign the external firewall interface public IP address so users can access for SSL-VPN setup.</P><P>&nbsp;</P><P>Now can I configure a secondary IP address (public) for the external firewall interface (firewall-router link), so we can use this public IP for the SSL-VPN setup (is this secondary IP going to be reachable from internet, although the primary IP is private)?</P><P>&nbsp;</P><P>Thanks</P> Sun, 17 Sep 2017 16:09:28 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/176864#M55244 myasin 2017-09-17T16:09:28Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/176877#M55246 <P>I would love to have a crack at this but i just dont get it, perhaps post a doodle or hope someone cleverer than me is also unable to sleep.</P> Sun, 17 Sep 2017 19:48:10 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/176877#M55246 Mick_Ball 2017-09-17T19:48:10Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177317#M55315 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70047">@myasin</a>,</P><P>Forgive me if I have any part of this wrong from your description; but essentially the ISP configured gear provided to you is the device that terminates the public IPs, and to get the connection to your Palo Alto you're simply assigning a NAT or a port-forwarding policy to your firewall's private IP right?&nbsp;</P><P>I would question whether or not you truly need to have that priavte subnet between your router and your firewall or if you could simply pass the IPs through the router directily to the firwall. Even a home grade router should have the ability to do an IP-Passthrough or Bridge mode that would assign the public IP address directly to the firewall.&nbsp;</P><P>If the device in incapable of providing a public IP address directly to the firewall the SSL-VPN can be configured perfectly fine without the firewall having a true public IP address assigned to it as long as the IP-Passthrough or port-forwarding is setup correctly.&nbsp;</P> Mon, 18 Sep 2017 12:51:50 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177317#M55315 BPry 2017-09-18T12:51:50Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177333#M55318 <P>Hi Myasin,</P><P>&nbsp;</P><P>What might be a solution for you would be to created a loopback interface and assign it an IP. You can then add all your globalprotect (GP) configuration to this loopback.</P><P>&nbsp;</P><P>Then with a destination NAT rule you can say that traffic for your 2nd public IP will be destination NAT to your loopback for access to the GP portal/gateway. The device will proxy ARP for the 2nd public IP configurated on the NAT rule.</P><P>&nbsp;</P><P>These links to the documentation can explain more</P><P>&nbsp;</P><P>proxy ARP:</P><P><A href="https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules#_60332" target="_blank">https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules#_60332</A></P><P>&nbsp;</P><P>GP on loopback:</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-on-Loopback-Interface/ta-p/56866" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-on-Loopback-Interface/ta-p/56866</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>hope this helps,</P><P>Ben</P> Mon, 18 Sep 2017 13:24:52 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177333#M55318 bmorris1 2017-09-18T13:24:52Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177553#M55359 <P>Hi</P><P>&nbsp;</P><P>I managed to configure the public subnet between the router and the firewall, as the customer was refusing change any paramters in the router.</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Tue, 19 Sep 2017 10:06:19 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/177553#M55359 myasin 2017-09-19T10:06:19Z