- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-13-2015 12:52 PM
Hi,
We're facing an architecture where there are multiple address that needs to be used for a specific pool of IP from the LAN interface.
Let's supose that we have 3 IP PUBLIC address 10.X.X.2; 10.X.X.3 and 10.X.X.4 and the gateway has the IP 10.X.X.1
From the LAN interface we might expect to get a range of IP Pool addresses
192.168.1.X to 192.168.1.Y
192.168.1.Z to 192.168.1.W
192.168.1.T to 192.168.1.U
Traffic from the LAN to the WAN should expect the rule as stated below:
LAN from 192.168.1.X to 192.168.1.Y to WAN 10.X.X.1
192.168.1.Z to 192.168.1.W to WAN 10.X.X.2
192.168.1.T to 192.168.1.U to WAN 10.X.X.3
First question, Can we define a PORT INTERFACE with multiple IP public interface? If so,
Second Question, Shall we create a NAT rule for each range of IP pool?
Do we need to create several static route within the VIRTUAL ROUTERS as we have several IP addresses.
Your thoughts are much appreciated...
02-13-2015 02:01 PM
Welcome to PanOS. It sounds like what you want is one-to-one nat for the three servers.
Have a look at this document for PanOS nat. Page 15 and following is the the one-to-one nat configuration process you will follow.
02-13-2015 01:19 PM
There is no need to define all the IPs on the public Interface, if they are all of the same network then just create NAT rules using and device will automatically respond to ARP for these IPs
You will have to create NAT rule if you want to 1-1 mapping between the LAN networks and public IPs
I don't think there is any need of virtual routers on LAN side as long as all the networks are different.
Hope it helps!
02-13-2015 02:01 PM
Welcome to PanOS. It sounds like what you want is one-to-one nat for the three servers.
Have a look at this document for PanOS nat. Page 15 and following is the the one-to-one nat configuration process you will follow.
02-13-2015 02:11 PM
Hello,
bat is correct.
You may follow this discussion from prxy ARP feature: Re: Proxy-Arp behavior and NAT's
Thanks
02-13-2015 02:26 PM
Hi All,
Thanks for your quick feedback.
so If I understood your points.
Looks like I just ned to define an IP address for the WAN port interface? But which one ? 10.X.X.2; 10.X.X.3 and 10.X.X.4 ?
Then I have to configure a One to One NAT rule ? But How? Like the one below
NAT RULE
source LAN
Zone TRUST
Source address 192.168.1.X to 192.168.1.Y (X could be 10 and Y 50)
Destination WAN
Zone UNTRUST
Destination address 10.X.X.2
The idea is to have One FIREWALL, One ISP, but within the LAN, there are several companies and therefore each companies will get and be assigned with a range of IP LAN addresses and each company will get its own IP public address using a common WAN interface
02-13-2015 02:42 PM
Hello,
You can configure one IP address on the interface i.e 10.X.X.1
Configure the NAT rule as mentioned below.
NAT RULE-1
Zone TRUST
Source address 192.168.1.X to 192.168.1.Y (X could be 10 and Y 50)
Destination ANY
Zone UNTRUST
Destination address ANY
Source NAT:
Translation type: Dynamic IP and port
Address type: translated address
Address:10.X.X.1
=================================
NAT RULE-2
Zone TRUST
Source address 192.168.1.A to 192.168.1.B (A could be 64 and B 128)
Destination ANY
Zone UNTRUST
Destination address ANY
Source NAT:
Translation type: Dynamic IP and port
Address type: translated address
Address:10.X.X.2
=================================
NAT RULE-3
Zone TRUST
Source address 192.168.1.M to 192.168.1.N (M could be 129 and N 255)
Destination ANY
Zone UNTRUST
Destination address ANY
Source NAT:
Translation type: Dynamic IP and port
Address type: translated address
Address:10.X.X.3
Thanks
02-13-2015 02:45 PM
As per the above mentioned NAT policy,
Company A (192.168.1.1 to 192.168.1.63) will translate ( source NAT) to public IP 10.X.X.1
Company B (192.168.1.64 to 192.168.1.127) will translate ( source NAT) to public IP 10.X.X.2
Company C (192.168.1.128 to 192.168.1.255) will translate ( source NAT) to public IP 10.X.X.3
Thanks
02-13-2015 03:13 PM
Hello,
I do appreciate your support and quick recommendations. I'll try to configure in the way you mentionned and get back to you guys..
Again thanks a lot !!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!