Adding additional public IP range

L0 Member

Adding additional public IP range

Hi all - I've been having a bit of trouble getting this to work - I've done it on Cisco & Sonicwall boxes before, but this is my first PA 3020.  We were just assigned additional public IP addresses by our ISP. The existing block is 206.x.x.x/29 and the new block is 165.x.x.x/29, so they're note contiguous.  I went into the Ethernet Interface settings and added the new block to the same port as the existing block but that did not seem to have any effect.  Is there another place I need to add this information? 

Tags (1)
L4 Transporter

Re: Adding additional public IP range

Have you added in routing on your virtual router to the next hop?

Have you created any NAT Rules to actualy use the IP's?

 

Rob

L0 Member

Re: Adding additional public IP range

The existing IP range is not represented at all inthe virtual router settings (I did not set up this PA, so I can't speak to the whys of the existing config). I tried adding it anyway, but commit failed - I believe the error was that the route was not unique. 

 

I copied the NAT rule for the original IP range and modified it to represent the additional range and also created a 1:1 translation rule for an IP in the new range.  

 

This process just seems much more difficult than it is on other platforms. 

L4 Transporter

Re: Adding additional public IP range

So you're adding a new IP block to your environment, not replacing your existing subnet, correct?

 

There is an order of operations that the PA does when it receives traffic. One of the things that happens is the evaluation of a route to the destination. If this route doesn't exist, then the packet is dropped. So if you don't have a specific entry in your VR or an interface in that IP range, then the traffic will be dropped.

There are a couple of ways to get around this. In the past, I've created a route to the other subnet with a next-hop of none. I believe you have to also specify an interface in the route.  This gets the new subnet into the routing table so the packet can pass to the next evaluation stage. You could also create a loopback on this subnet. You don't need to add another IP address on the ISP facing interface.

 

What NAT rule did you copy from old to new? What's the reason for doing this?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!