https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251073#M71391 <P>I assigned the ip to a loopback interface then created NAT and Security policy seems to work just fine.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 23 Feb 2019 18:48:30 GMT msteinbach 2019-02-23T18:48:30Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/250868#M71338 <P>We needed additional Public IP for SIP and web server hosting.</P><P>&nbsp;</P><P>My original IP was a single IP example "67.173.83.121\30".&nbsp; The ISP gave us&nbsp;another range to use 67.173.75.73\28.</P><P>&nbsp;</P><P>How can i add&nbsp;67.173.75.73\28 range to my PA so I can apply NAT rules to it?&nbsp;</P><P>&nbsp;</P><P>Loopback interface?</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P> Fri, 22 Feb 2019 12:09:30 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/250868#M71338 msteinbach 2019-02-22T12:09:30Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/250900#M71348 <P>I've not done this, but I think you'd just need to have it assigned to the Physical or AE of your "untrust" / INet facing side of your FW those two IPs as well as add the IPs you want to your NAT policy.</P> Fri, 22 Feb 2019 13:25:48 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/250900#M71348 Brandon_Wertz 2019-02-22T13:25:48Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251073#M71391 <P>I assigned the ip to a loopback interface then created NAT and Security policy seems to work just fine.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 23 Feb 2019 18:48:30 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251073#M71391 msteinbach 2019-02-23T18:48:30Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251075#M71392 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/82393">@msteinbach</a>&nbsp;,</P><P>&nbsp;</P><P>If your ISP gave you this segment and have proper route to this network towards your firewall,As of my best knowledge, you need not to have this IP in firewall. you can have proper NAT and security policy. everything will work. need not to wast one public IP.</P> Sun, 24 Feb 2019 06:30:54 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251075#M71392 Abdul_Razaq 2019-02-24T06:30:54Z https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251572#M71537 <P>There is a way without using a loopback with one of your public IP addresses on it. As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>&nbsp; says, that uses an IP address.&nbsp;</P><P>&nbsp;</P><P>One of the steps the PA takes when evaluating traffic is the existence of a route to the destination. If the route doesn't exist, the traffic is dropped without further processing. The route just has to exist, it doesn't have to necessarily be valid.</P><P>So you can set up a null route for the new subnet which will allow the packet flow to continue.&nbsp; I have done this method several times and it works well.</P><P>Since you created a loopback, a connected route will exist for that subnet and permit the flow to continue.</P><P>&nbsp;</P><P>Here's the document that explains the need for the existence of the route.</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0" target="_self">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0</A></P><P>&nbsp;</P> Wed, 27 Feb 2019 19:17:13 GMT https://live.paloaltonetworks.com/t5/general-topics/assign-secondary-public-ip-address/m-p/251572#M71537 rmfalconer 2019-02-27T19:17:13Z