IP Renumbering - trying to avert a slow motion disaster

Reply
L3 Networker

IP Renumbering - trying to avert a slow motion disaster

PAN-200

PAN OS 6


I am no networking guy, but he left, so there is me dealing with this.

We've embarked on a great project to renumber our IP addresses with very little thought in advance.

There aren't that many, we said. What could go wrong, we thought.  Well, for starters, one host that I've cutover to the new scheme can't see 'the internet' but his brothers who are in the old scheme can.

eth1/2/3 are layer 2, in  'coloprovider_msrp' vlan

eth4 is layer3, with IP address of 209.59.29.193/26

That latter IP is the gateway address of the hosts behind the PA-200.

A well meaning person told me to make this a 10.1.1.x network so I plugged that into my CIDR calculator and

Address: 10.1.1.1

Netmask: 255.255.0.0

Network Address: 10.1.0.0/16

Broadcast: 10.1.255.255

So.

I gave my test host an address of 10.1.1.4, gateway 10.1.0.0

In PA-200, ETH4 added the IP address 10.1.0.0/16

And LO my host can ping 10.1.0.0.  Great?  It cannot ping the internet - my test IP being 8.8.8.8

What am I doing wrong, oh mighty keepers of the networking flame ...

To-be physical diagram

physical.tiff

To-be Logical part one

logical-part-one.tiff

To-Be Logical part two

logical_part_two.tiff

Message was edited by: Brian Dunbar

bat
L5 Sessionator

Re: IP Renumbering - trying to avert a slow motion disaster

bdunbar Enjoyed reading your post :smileygrin:

Could you verify if that network is mentioned in the security as well as the NAT policy?

L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

It does not appear to be mentioned in either my few security or NAT policy.

L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

FWIW here is my routing table before, and after ..

admin@tn-gateway-01> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   209.59.31.137                           10     A S              vlan.10

10.50.1.1/32                                10.50.1.1                               10     A S              tunnel.10

10.50.1.2/31                                10.50.1.2                               10     A S              tunnel.10

10.50.1.4/30                                10.50.1.4                               10     A S              tunnel.10

10.50.1.8/29                                10.50.1.8                               10     A S              tunnel.10

10.50.1.16/30                               10.50.1.16                              10     A S              tunnel.10

10.50.1.20/32                               10.50.1.20                              10     A S              tunnel.10

209.59.29.192/26                            209.59.29.193                           0      A C              ethernet1/4

209.59.29.193/32                            0.0.0.0                                 0      A H

209.59.31.136/29                            209.59.31.140                           0      A C              vlan.10

209.59.31.140/32                            0.0.0.0                                 0      A H

dmin@tn-gateway-01> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   209.59.31.137                           10     A S              vlan.10

10.1.0.0/16                                 10.1.0.0                                0      A C              ethernet1/4

10.1.0.0/32                                 0.0.0.0                                 0      A H

10.50.1.1/32                                10.50.1.1                               10     A S              tunnel.10

10.50.1.2/31                                10.50.1.2                               10     A S              tunnel.10

10.50.1.4/30                                10.50.1.4                               10     A S              tunnel.10

10.50.1.8/29                                10.50.1.8                               10     A S              tunnel.10

10.50.1.16/30                               10.50.1.16                              10     A S              tunnel.10

10.50.1.20/32                               10.50.1.20                              10     A S              tunnel.10

209.59.29.192/26                            209.59.29.193                           0      A C              ethernet1/4

209.59.29.193/32                            0.0.0.0                                 0      A H

209.59.31.136/29                            209.59.31.140                           0      A C              vlan.10

209.59.31.140/32                            0.0.0.0                                 0      A H

total routes shown: 13

L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

Interesting: I tried to delete the reference to 209.59.29.193/26 from eth4 and was told ..

Validation Error:

deviceconfig -> system -> route -> destination -> 209.59.29.221 -> source -> address '209.59.29.193/26' is not a valid reference

deviceconfig -> system -> route -> destination -> 209.59.29.221 -> source -> address is invalid

config commit phase 1 aborted(Module: routed)

Config commit phase 1 aborted(Module: device)

panike_daemon phase 1 aborted(Module: ikemgr)

config commit phase 1 aborted(Module: dhcpd)

config commit phase 1 aborted(Module: varrcvr)

modhttpd phase 1 aborted(Module: l3svc)

Now .. 209.59.29.221 is one of two active directory servers I have.  And of course, I have UserId talking to them.  Ideas?

L7 Applicator

Re: IP Renumbering - trying to avert a slow motion disaster

We really need to see a network topology and what the change of address affects old versus new.

Security policies and nat rule changes are already mentioned.

You seem to have vpn connections using static routes, this will likely mean you also need to make routing changes at those remote sites to reach the new network and then decommission the old one as well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

I need to update my diagrams to reflect changes that were inflicted last night - I'll do that and update.  Not the very least because I need to update.

I did also create a support case last night (there was talk around the cage that the problem was a defective unit, and more talk that we should just nuke the firewall and reinstall from scratch, and I really, really, wanted to not do that).  The support tech, Ceaser, ID'd the problem, in a nutshell, and my words, 'you are trying to route a non-routable network'.

He sent notes, and suggested we get in touch with our SE (I didn't know we had one of those!) but, in a nutshell, the fix is to take my three layer 2 interfaces and make them layer 3.

"Non-routable networks don't route".  Seems so obvious after-the-fact.

L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

For what it is worth, I have attached the to-be physical and logical diagrams. 

Highlighted
L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

HI,

10.1.0.0/16 is not a legal IP address to apply to your firewall - that's actually the subnet address.

Update your firewall to use 10.1.1.1/16 and place your hosts with 10.1.1.x (where x > 1!) addresses with a net mask of 255.255.0.0 and a default gateway of 10.1.1.1.

Good luck

aid

L3 Networker

Re: IP Renumbering - trying to avert a slow motion disaster

Interesting.  Those documents are now out-of-date.

Last night I was on the phone with Wes, our Palo Alto SE (hi, Wes) and we did this ..

eth4 IP

10.1.0.1/16

209.59.29.193/26

Applied this IP to a host

IP 10.1.1.40

Subnet: 255.255.0.0

Gateway: 10.1.0.1

And it worked.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!