Hi all - I've been having a bit of trouble getting this to work - I've done it on Cisco & Sonicwall boxes before, but this is my first PA 3020. We were just assigned additional public IP addresses by our ISP. The existing block is 206.x.x.x/29 and the new block is 165.x.x.x/29, so they're note contiguous. I went into the Ethernet Interface settings and added the new block to the same port as the existing block but that did not seem to have any effect. Is there another place I need to add this information?
The existing IP range is not represented at all inthe virtual router settings (I did not set up this PA, so I can't speak to the whys of the existing config). I tried adding it anyway, but commit failed - I believe the error was that the route was not unique.
I copied the NAT rule for the original IP range and modified it to represent the additional range and also created a 1:1 translation rule for an IP in the new range.
This process just seems much more difficult than it is on other platforms.
So you're adding a new IP block to your environment, not replacing your existing subnet, correct?
There is an order of operations that the PA does when it receives traffic. One of the things that happens is the evaluation of a route to the destination. If this route doesn't exist, then the packet is dropped. So if you don't have a specific entry in your VR or an interface in that IP range, then the traffic will be dropped.
There are a couple of ways to get around this. In the past, I've created a route to the other subnet with a next-hop of none. I believe you have to also specify an interface in the route. This gets the new subnet into the routing table so the packet can pass to the next evaluation stage. You could also create a loopback on this subnet. You don't need to add another IP address on the ISP facing interface.
What NAT rule did you copy from old to new? What's the reason for doing this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!