Changing the /

Reply
Highlighted
L3 Networker

Changing the /

We currently have one outside interface on the firewall and is connected to our Edge Router. The interface has the IP address of 10.10.10.10.5/24 (for example). This is the only port available for inbound and outbound data to the internet. We would like to create a new outside interface on the firewall and start using it for other services, such as our Global Protect VPN and so on. We would like to give the second interface the IP address of 10.10.10.10.6/32 but this IP falls in the range of the first outside interface of 10.10.10.10.5/24. Can we change the IP address on our existing interface to 10.10.10.10.5/32 instead of the /24? Will this impact anything? Then we could use the 10.10.10.10.6/32 for the second outside interface.

 

Thanks in advance.

Tags (1)

Accepted Solutions
L4 Transporter

@Shawverr In you original post you said:

"We would like to create a new outside interface on the firewall and start using it for other services, such as our Global Protect VPN and so on."

Option1 is having two IP Addresses  192.168.200.1/24 and  192.168.200.2/32 on the same physical etherent1/4 will work in a sense that you will be able to reach the fireawll on .1. and the .2 address, but it will  not give you any benefits of having a second interface . You will not be able to have different services, different profiles, zones etc., so it will not match your requirement. 

Option2 (nat to loopback interface) will give you the benefit of having two individual interfaces in the same subnet. 

View solution in original post


All Replies
Highlighted
L4 Transporter

@Shawverr I think you are missing basic networking principles. You need to have network address, broadcast address and in your case, next hop for the default gateway. If you change your external interface from /24 to /32, then all your internet traffic will stop working, because the firewall will not know how to get the its gateway for the internet. 

 

To achieve what you described, the best approach would be to configure loopback address with any IP, for example 192.168.1.1/32, then NAT 110.10.10.10.6 to 192.168.1.1. Then use lo1 interface for Global Protect.

 

The second option is a little bit more complicated, but it will also work. You can configure second physical interface in the external subnet and give it IP 10.10.10.10.6/24  (not 32 for the reasons above). Then create new virtual router with the new interface in. You can utilise inter-vr routing and if needed policy based forwarding to route traffic to and from that interface. 

 

Highlighted
L3 Networker

As for GP, can i just do this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJHCA0

 

Will that be an issue?

Highlighted
L4 Transporter

@Shawverr This what I was trying to explain. You need to do the "Option2" in the article. Configure loback and create NAT for it

Highlighted
L3 Networker

@TransporterI appreciate you're help with this.  Just so I'm clear, option one isn't viable because..........

L4 Transporter

@Shawverr In you original post you said:

"We would like to create a new outside interface on the firewall and start using it for other services, such as our Global Protect VPN and so on."

Option1 is having two IP Addresses  192.168.200.1/24 and  192.168.200.2/32 on the same physical etherent1/4 will work in a sense that you will be able to reach the fireawll on .1. and the .2 address, but it will  not give you any benefits of having a second interface . You will not be able to have different services, different profiles, zones etc., so it will not match your requirement. 

Option2 (nat to loopback interface) will give you the benefit of having two individual interfaces in the same subnet. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!