Assign Secondary Public IP address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Assign Secondary Public IP address

L1 Bithead

We needed additional Public IP for SIP and web server hosting.

 

My original IP was a single IP example "67.173.83.121\30".  The ISP gave us another range to use 67.173.75.73\28.

 

How can i add 67.173.75.73\28 range to my PA so I can apply NAT rules to it? 

 

Loopback interface?

 

thanks

 

4 REPLIES 4

L6 Presenter

I've not done this, but I think you'd just need to have it assigned to the Physical or AE of your "untrust" / INet facing side of your FW those two IPs as well as add the IPs you want to your NAT policy.

I assigned the ip to a loopback interface then created NAT and Security policy seems to work just fine.

 

 

 

L4 Transporter

Hi @msteinbach ,

 

If your ISP gave you this segment and have proper route to this network towards your firewall,As of my best knowledge, you need not to have this IP in firewall. you can have proper NAT and security policy. everything will work. need not to wast one public IP.

There is a way without using a loopback with one of your public IP addresses on it. As @Abdul_Razaq  says, that uses an IP address. 

 

One of the steps the PA takes when evaluating traffic is the existence of a route to the destination. If the route doesn't exist, the traffic is dropped without further processing. The route just has to exist, it doesn't have to necessarily be valid.

So you can set up a null route for the new subnet which will allow the packet flow to continue.  I have done this method several times and it works well.

Since you created a loopback, a connected route will exist for that subnet and permit the flow to continue.

 

Here's the document that explains the need for the existence of the route.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

 

  • 3744 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!