https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/243892#M69672 <P>Hi all - I've been having a bit of trouble getting this to work - I've done it on Cisco &amp; Sonicwall boxes before, but this is my first PA 3020.&nbsp; We were just assigned additional public IP addresses by our ISP. The existing block is 206.x.x.x/29 and the new block is 165.x.x.x/29, so they're note contiguous.&nbsp; I went into the Ethernet Interface settings and added the new block to the same port as the existing block but that did not seem to have any effect.&nbsp; Is there another place I need to add this information?&nbsp;</P> Wed, 19 Dec 2018 18:12:23 GMT bwade 2018-12-19T18:12:23Z https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/243892#M69672 <P>Hi all - I've been having a bit of trouble getting this to work - I've done it on Cisco &amp; Sonicwall boxes before, but this is my first PA 3020.&nbsp; We were just assigned additional public IP addresses by our ISP. The existing block is 206.x.x.x/29 and the new block is 165.x.x.x/29, so they're note contiguous.&nbsp; I went into the Ethernet Interface settings and added the new block to the same port as the existing block but that did not seem to have any effect.&nbsp; Is there another place I need to add this information?&nbsp;</P> Wed, 19 Dec 2018 18:12:23 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/243892#M69672 bwade 2018-12-19T18:12:23Z https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/243997#M69681 <P>Have you added in routing on your virtual router to the next hop?</P><P>Have you created any NAT Rules to actualy use the IP's?</P><P>&nbsp;</P><P>Rob</P> Thu, 20 Dec 2018 11:05:39 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/243997#M69681 RobinClayton 2018-12-20T11:05:39Z https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/244031#M69687 <P>The existing IP range is not represented at all inthe virtual router settings (I did not set up this PA, so I can't speak to the whys of the existing config). I tried adding it anyway, but commit failed - I believe the error was that the route was not unique.&nbsp;</P><P>&nbsp;</P><P>I copied the NAT rule for the original IP range and modified it to represent the additional range and also created a 1:1 translation rule for an IP in the new range.&nbsp;&nbsp;</P><P>&nbsp;</P><P>This process just seems much more difficult than it is on other platforms.&nbsp;</P> Thu, 20 Dec 2018 14:24:40 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/244031#M69687 bwade 2018-12-20T14:24:40Z https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/244170#M69704 <P>So you're adding a new IP block to your environment, not replacing your existing subnet, correct?</P><P>&nbsp;</P><P>There is an order of operations that the PA does when it receives traffic. One of the things that happens is the evaluation of a route to the destination. If this route doesn't exist, then the packet is dropped. So if you don't have a specific entry in your VR or an interface in that IP range, then the traffic will be dropped.</P><P>There are a couple of ways to get around this. In the past, I've created a route to the other subnet with a next-hop of none. I believe you have to also specify an interface in the route.&nbsp; This gets the new subnet into the routing table so the packet can pass to the next evaluation stage. You could also create a loopback on this subnet. You don't need to add another IP address on the ISP facing interface.</P><P>&nbsp;</P><P>What NAT rule did you copy from old to new? What's the reason for doing this?</P> Thu, 20 Dec 2018 21:21:53 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-additional-public-ip-range/m-p/244170#M69704 rmfalconer 2018-12-20T21:21:53Z