How to setup multiple IP Public address on PA-200

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to setup multiple IP Public address on PA-200

L2 Linker

Hi,

We're facing an architecture where there are multiple address that needs to be used for a specific pool of IP from the LAN interface.

Let's supose that we have 3 IP PUBLIC address 10.X.X.2; 10.X.X.3 and 10.X.X.4 and the gateway has the IP 10.X.X.1

From the LAN interface we might expect to get a range of IP Pool addresses

192.168.1.X to 192.168.1.Y

192.168.1.Z to 192.168.1.W

192.168.1.T to 192.168.1.U


Traffic from the LAN to the WAN should expect the rule as stated below:

LAN from 192.168.1.X to 192.168.1.Y to WAN 10.X.X.1

192.168.1.Z to 192.168.1.W to WAN 10.X.X.2

192.168.1.T to 192.168.1.U to  WAN 10.X.X.3


First question, Can we define a PORT INTERFACE with multiple IP public interface? If so,

Second Question, Shall we create a NAT rule for each range of IP pool?

Do we need to create several static route within the VIRTUAL ROUTERS  as we have several IP addresses.


Your thoughts are much appreciated...

1 accepted solution

Accepted Solutions

L7 Applicator

Welcome to PanOS.  It sounds like what you want is one-to-one nat for the three servers.

Have a look at this document for PanOS nat.  Page 15 and following is the the one-to-one nat configuration process you will follow.

Understanding PAN-OS NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

7 REPLIES 7

L5 Sessionator

mbeghdadi

There is no need to define all the IPs on the public Interface, if they are all of the same network then just create NAT rules using and device will automatically respond to ARP for these IPs

You will have to create NAT rule if you want to 1-1 mapping between the LAN networks and public IPs

I don't think there is any need of virtual routers on LAN side as long as all the networks are different.

Hope it helps!

L7 Applicator

Welcome to PanOS.  It sounds like what you want is one-to-one nat for the three servers.

Have a look at this document for PanOS nat.  Page 15 and following is the the one-to-one nat configuration process you will follow.

Understanding PAN-OS NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L7 Applicator

Hello,

bat is correct.

You may follow this discussion from prxy ARP feature: Re: Proxy-Arp behavior and NAT's

ARP Proxy

Thanks

L2 Linker

Hi All,

Thanks for your quick feedback.

so If I understood your points.

Looks like I just ned to define an IP address for the WAN port interface? But which one ? 10.X.X.2; 10.X.X.3 and 10.X.X.4 ?

Then I have to configure a One to One NAT rule ? But How? Like the one below

NAT RULE

source LAN

Zone TRUST

Source address  192.168.1.X to 192.168.1.Y (X could be 10 and Y 50)

Destination WAN

Zone UNTRUST

Destination address 10.X.X.2

The idea is to have One FIREWALL, One ISP, but within the LAN, there are several companies and therefore each companies will get and be assigned with a range of IP LAN addresses and each company will get its own IP public address using a common WAN interface

Hello,

You can configure one IP address on the interface i.e 10.X.X.1

Configure the NAT rule as mentioned below.

NAT RULE-1

Zone TRUST

Source address  192.168.1.X to 192.168.1.Y (X could be 10 and Y 50)

Destination ANY

Zone UNTRUST

Destination address ANY

Source NAT:

Translation type: Dynamic IP and port

Address type: translated address

Address:10.X.X.1

=================================

NAT RULE-2

Zone TRUST

Source address  192.168.1.A to 192.168.1.B (A could be 64 and B 128)

Destination ANY

Zone UNTRUST

Destination address ANY

Source NAT:

Translation type: Dynamic IP and port

Address type: translated address

Address:10.X.X.2


=================================

NAT RULE-3

Zone TRUST

Source address  192.168.1.M to 192.168.1.N (M could be 129 and N 255)

Destination ANY

Zone UNTRUST

Destination address ANY

Source NAT:

Translation type: Dynamic IP and port

Address type: translated address

Address:10.X.X.3


Thanks

L7 Applicator

As per the above mentioned NAT policy,

Company A (192.168.1.1 to 192.168.1.63) will translate ( source NAT)  to public IP 10.X.X.1

Company B (192.168.1.64 to 192.168.1.127) will translate ( source NAT)  to public IP 10.X.X.2

Company C (192.168.1.128 to 192.168.1.255) will translate ( source NAT)  to public IP 10.X.X.3

Thanks

Hello,

I do appreciate your support and quick recommendations. I'll try to configure in the way you mentionned and get back to you guys..

Again thanks a lot !!

  • 1 accepted solution
  • 5909 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!