Configuring WAN interface with multiple subnets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuring WAN interface with multiple subnets

L2 Linker

We have a PAN 3050 running 7.0.1. We are about to recieve a new circuit from our ISP that has a new /30 for the serial to the ISP. What I will have is a /30 (the serial connection) two /29's and one /28. I wil use the /29 for incomming request with NAT for port translation to access to backend, this subnet is already set up for this and in use. The /28 I am going to initially use for our outbound NAT DIP for translation to the internet. I know I can assign multiple IP's on the WAN interface but the one time I tried adding a /29 it caused a disruption on the WAN interface and access in/out was down.

 Should I add the /30 address as a /32 for the actuall IP of the interface and then just simply add the other subnets as /29 and /28?

 I have documentation on the basic configuration for the untrust interface, is there any for a WAN interface with multiple subnets?

 

Thanks for any advice,

1 accepted solution

Accepted Solutions

Your notes are correct for routed subnets.  Should be a straightforward transition for you.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

4 REPLIES 4

L7 Applicator

How you configure the WAN interface depends on how your Service provider configures your upstream router.  If the service has already been setup you should consult your Service Activation or Modification Notice for the details on the your site has been configured.  If this is still a pending order, you can contact your sales engineer.

 

Typically when we provide multiple subnets on a single line we configure the /30 on the two interfaces (service provider and client firewall) and then route the remaining subnets to the client firewall ip address.

 

In this setup you will then choose to either use these address ranges as NAT pool configurations or you could configure internal interfaces with all or part of any of these subnets and use the addresses directly on your equipment.

 

The alternative Service provider setups are to run multiple subnets on the same interface.   Or to run the multiple subnets a Q tag sub interfaces on the line.

 

But in any case you need to know what the expected configuration upstream will be.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Cyber Elite
Cyber Elite

You should be able to simply add the new range to the interface as an additional IP subnet. depending on your ISP's infrastructure they may need to add a static ARP entry for your external interface for that subnet

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I do know hat our ISP will simply be routing the /28 and /29 down this new /30 to our firewall. So, it sounds like all I have to do is configure my NAT policies for the two subnets, change the defaoult route to the new ISP IP and assign the second available IP in the /30 to my WAN interface. Does that sound right?

Thanks for you help...

Your notes are correct for routed subnets.  Should be a straightforward transition for you.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 4156 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!