Assign Secondary Public IP address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Assign Secondary Public IP address

L2 Linker

Hi

 

I got a new internet connection through router, the firewall-router connection use private subnet, but I got a public subnet from provider which I will route to the firewall private IP.

Since I will configure SSL-VPN, then I have to assign the external firewall interface public IP address so users can access for SSL-VPN setup.

 

Now can I configure a secondary IP address (public) for the external firewall interface (firewall-router link), so we can use this public IP for the SSL-VPN setup (is this secondary IP going to be reachable from internet, although the primary IP is private)?

 

Thanks

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@myasin,

Forgive me if I have any part of this wrong from your description; but essentially the ISP configured gear provided to you is the device that terminates the public IPs, and to get the connection to your Palo Alto you're simply assigning a NAT or a port-forwarding policy to your firewall's private IP right? 

I would question whether or not you truly need to have that priavte subnet between your router and your firewall or if you could simply pass the IPs through the router directily to the firwall. Even a home grade router should have the ability to do an IP-Passthrough or Bridge mode that would assign the public IP address directly to the firewall. 

If the device in incapable of providing a public IP address directly to the firewall the SSL-VPN can be configured perfectly fine without the firewall having a true public IP address assigned to it as long as the IP-Passthrough or port-forwarding is setup correctly. 

View solution in original post

L4 Transporter

Hi Myasin,

 

What might be a solution for you would be to created a loopback interface and assign it an IP. You can then add all your globalprotect (GP) configuration to this loopback.

 

Then with a destination NAT rule you can say that traffic for your 2nd public IP will be destination NAT to your loopback for access to the GP portal/gateway. The device will proxy ARP for the 2nd public IP configurated on the NAT rule.

 

These links to the documentation can explain more

 

proxy ARP:

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules#_60332

 

GP on loopback:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-...

 

 

 

hope this helps,

Ben

View solution in original post

4 REPLIES 4

L7 Applicator

I would love to have a crack at this but i just dont get it, perhaps post a doodle or hope someone cleverer than me is also unable to sleep.

Cyber Elite
Cyber Elite

@myasin,

Forgive me if I have any part of this wrong from your description; but essentially the ISP configured gear provided to you is the device that terminates the public IPs, and to get the connection to your Palo Alto you're simply assigning a NAT or a port-forwarding policy to your firewall's private IP right? 

I would question whether or not you truly need to have that priavte subnet between your router and your firewall or if you could simply pass the IPs through the router directily to the firwall. Even a home grade router should have the ability to do an IP-Passthrough or Bridge mode that would assign the public IP address directly to the firewall. 

If the device in incapable of providing a public IP address directly to the firewall the SSL-VPN can be configured perfectly fine without the firewall having a true public IP address assigned to it as long as the IP-Passthrough or port-forwarding is setup correctly. 

L4 Transporter

Hi Myasin,

 

What might be a solution for you would be to created a loopback interface and assign it an IP. You can then add all your globalprotect (GP) configuration to this loopback.

 

Then with a destination NAT rule you can say that traffic for your 2nd public IP will be destination NAT to your loopback for access to the GP portal/gateway. The device will proxy ARP for the 2nd public IP configurated on the NAT rule.

 

These links to the documentation can explain more

 

proxy ARP:

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules#_60332

 

GP on loopback:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-...

 

 

 

hope this helps,

Ben

Hi

 

I managed to configure the public subnet between the router and the firewall, as the customer was refusing change any paramters in the router.

 

Thanks 

  • 2 accepted solutions
  • 7510 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!