DotW: Multiple IP Addresses on an Interface

by ‎10-19-2015 09:16 AM - edited ‎10-19-2015 12:47 PM (16,166 Views)

How do you assign more than one IP address to a single interface? We offer two ways to do it, and tell you which way we find most secure. User adiazm from our community poses the puzzler highlighted in this week's Discussion of the Week (DotW).

 

 

2015-10-19_11-20-07.png

 

If your ISP has provided you with an external IP range that allows for more than two hosts (firewall and router) in the subnet, for example, a subnet mask of /29 or larger, these additional IP addresses can be assigned to specific servers or services hosted on your network, or be used to hide different segments of your internal resources while going out to the Internet.

 

For NAT configuration, the additional IP addresses do not necessarily need to be configured on the interface: the firewall can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.

 

Source NAT can therefore be configured like this...

2015-10-19_13-47-48.png

or destination NAT like this:

2015-10-19_13-47-13.png

 

Without having the specific IP address configured to the interface.

2015-10-19_13-45-00.png

 

 

If you prefer to have the additional IP addresses attached to an interface for ease of use, or in the scenario where an interface needs to be assigned to GlobalProtect Gateway and Portal, there are 2 options available:

 

  • Add the IP address as a /32 subnet to the existing interface2015-10-19_14-00-44.png
  • Add the IP address as a loopback interface2015-10-19_14-02-30.png

The preferred and recommended configuration is to use the loopback interface option to allow some addional security configuration that, depending on the circumstances, could come in handy. The loopback interface can be configured with its own security zone. This allows for different security policies to be applied to this IP address compared to the IP range attached to the interface.

 

Thank you for readingfeel free to comment below.

 

Read the original discussion here: Multiple Addresses in the same ethernet interface

 

Thanks!

Tom

Comments
by cypatagoniayori
on ‎09-12-2016 11:39 PM

Using a loopback interface means that the IP address could be reachable from any interface?  If I check the arp table on a neighboring routing device what would the entry look like?

by
on ‎09-13-2016 12:11 AM

if the loopback interface has an IP address in the same subnet as your source interface, you would see the loopback ip with the MAC of the physical interface

if the loopback is in a different subnet, the same rules as other routed networks apply (you'll see your default gateway and it's mac, no info on the loopback ip)

by gkinsey
on ‎01-03-2017 04:13 PM
A+ Solution! The loopback solution works great. I've only done this in lab so far but I think this is going to be the perfect solution for converting from my McAfee Sidewinder running 7 code. The Sidewinder has the ability to "own" all of my public IP addresses on the external interface. This solution emulates that same functionality but the loopback idea, as was stated, adds another layer of security a policy could be applied to individual IPs based on need. Thanks much!
by Thant
on ‎02-07-2017 11:41 PM

How many can ip assign on same interface 

by
on ‎02-07-2017 11:52 PM

there is no per-interface limit

by ClearDATA_NOC
‎03-09-2017 04:29 PM - edited ‎03-09-2017 04:39 PM

Can you terminate an VPN tunnel to a secondary /32 IP address configured on a PAN external interface?

by
on ‎03-10-2017 12:24 AM

ofcourse!

I would recommend creating a loopback interface for that instead of adding a secondary IP however, it gives you more control over the interface (you can add mgmt profiles so it is pingable while the main interface remains unpoingable for example, and you can place it in a different zone so you can apply different security policies)

Ask Questions Get Answers Join the Live Community
Contributors