- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-22-2019 04:09 AM
We needed additional Public IP for SIP and web server hosting.
My original IP was a single IP example "67.173.83.121\30". The ISP gave us another range to use 67.173.75.73\28.
How can i add 67.173.75.73\28 range to my PA so I can apply NAT rules to it?
Loopback interface?
thanks
02-22-2019 05:25 AM
I've not done this, but I think you'd just need to have it assigned to the Physical or AE of your "untrust" / INet facing side of your FW those two IPs as well as add the IPs you want to your NAT policy.
02-23-2019 10:48 AM
I assigned the ip to a loopback interface then created NAT and Security policy seems to work just fine.
02-23-2019 10:30 PM
Hi @msteinbach ,
If your ISP gave you this segment and have proper route to this network towards your firewall,As of my best knowledge, you need not to have this IP in firewall. you can have proper NAT and security policy. everything will work. need not to wast one public IP.
02-27-2019 11:14 AM - edited 02-27-2019 11:17 AM
There is a way without using a loopback with one of your public IP addresses on it. As @Abdul_Razaq says, that uses an IP address.
One of the steps the PA takes when evaluating traffic is the existence of a route to the destination. If the route doesn't exist, the traffic is dropped without further processing. The route just has to exist, it doesn't have to necessarily be valid.
So you can set up a null route for the new subnet which will allow the packet flow to continue. I have done this method several times and it works well.
Since you created a loopback, a connected route will exist for that subnet and permit the flow to continue.
Here's the document that explains the need for the existence of the route.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!