topic Re: Changing the / in General Topics

Changing the /

Shawverr — Tue, 10 Sep 2019 12:56:01 GMT

We currently have one outside interface on the firewall and is connected to our Edge Router. The interface has the IP address of 10.10.10.10.5/24 (for example). This is the only port available for inbound and outbound data to the internet. We would like to create a new outside interface on the firewall and start using it for other services, such as our Global Protect VPN and so on. We would like to give the second interface the IP address of 10.10.10.10.6/32 but this IP falls in the range of the first outside interface of 10.10.10.10.5/24. Can we change the IP address on our existing interface to 10.10.10.10.5/32 instead of the /24? Will this impact anything? Then we could use the 10.10.10.10.6/32 for the second outside interface.

Thanks in advance.

Re: Changing the /

BatD — Tue, 10 Sep 2019 16:25:28 GMT

@Shawverr I think you are missing basic networking principles. You need to have network address, broadcast address and in your case, next hop for the default gateway. If you change your external interface from /24 to /32, then all your internet traffic will stop working, because the firewall will not know how to get the its gateway for the internet.

To achieve what you described, the best approach would be to configure loopback address with any IP, for example 192.168.1.1/32, then NAT 110.10.10.10.6 to 192.168.1.1. Then use lo1 interface for Global Protect.

The second option is a little bit more complicated, but it will also work. You can configure second physical interface in the external subnet and give it IP 10.10.10.10.6/24 (not 32 for the reasons above). Then create new virtual router with the new interface in. You can utilise inter-vr routing and if needed policy based forwarding to route traffic to and from that interface.

Re: Changing the /

Shawverr — Thu, 12 Sep 2019 14:41:27 GMT

As for GP, can i just do this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJHCA0

Will that be an issue?

Re: Changing the /

BatD — Thu, 12 Sep 2019 14:57:19 GMT

@Shawverr This what I was trying to explain. You need to do the "Option2" in the article. Configure loback and create NAT for it

Re: Changing the /

Shawverr — Thu, 12 Sep 2019 15:01:12 GMT

@TransporterI appreciate you're help with this. Just so I'm clear, option one isn't viable because..........

Re: Changing the /

BatD — Fri, 13 Sep 2019 07:09:46 GMT

@Shawverr In you original post you said:

"We would like to create a new outside interface on the firewall and start using it for other services, such as our Global Protect VPN and so on."

Option1 is having two IP Addresses 192.168.200.1/24 and 192.168.200.2/32 on the same physical etherent1/4 will work in a sense that you will be able to reach the fireawll on .1. and the .2 address, but it will not give you any benefits of having a second interface . You will not be able to have different services, different profiles, zones etc., so it will not match your requirement.

Option2 (nat to loopback interface) will give you the benefit of having two individual interfaces in the same subnet.