We needed additional Public IP for SIP and web server hosting.
My original IP was a single IP example "220.127.116.11\30". The ISP gave us another range to use 18.104.22.168\28.
How can i add 22.214.171.124\28 range to my PA so I can apply NAT rules to it?
I've not done this, but I think you'd just need to have it assigned to the Physical or AE of your "untrust" / INet facing side of your FW those two IPs as well as add the IPs you want to your NAT policy.
Hi @msteinbach ,
If your ISP gave you this segment and have proper route to this network towards your firewall,As of my best knowledge, you need not to have this IP in firewall. you can have proper NAT and security policy. everything will work. need not to wast one public IP.
There is a way without using a loopback with one of your public IP addresses on it. As @Abdul_Razaq says, that uses an IP address.
One of the steps the PA takes when evaluating traffic is the existence of a route to the destination. If the route doesn't exist, the traffic is dropped without further processing. The route just has to exist, it doesn't have to necessarily be valid.
So you can set up a null route for the new subnet which will allow the packet flow to continue. I have done this method several times and it works well.
Since you created a loopback, a connected route will exist for that subnet and permit the flow to continue.
Here's the document that explains the need for the existence of the route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!