- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-15-2014 09:04 PM
Hi everyone ... just bought a PA-200, and this is my first experience with this sort of device. A little bit of a learning curve!
I am moving from a Barracuda Link Balancer. This is my setup.
We have 5 public IP addresses, let's say for simplicity sake 173.61.106.10-14. ISP gateway is 173.61.106.1. We have FIOS and all 5 IPs come through 1 cable. The cable goes into a switch. One cable from the switch goes to the Barracuda. The Barracuda manages IPs .10 .11 .12 on it's WAN port. .13 goes to a Wifi device and .14 goes to our VOIP system.
We currently have traffic hitting all 3 public IPs on the Barracuda and being forwarded to our internal LAN. I'd like to keep this as-is.
Couple of questions, because I've gotten conflicting info from the support people I have talked to thus far.
1. Can you have multiple IP addresses on one interface, as I do above with the Barracuda? If so, could I get some basic advise on how to set that up? I've seen "use /32" and "use subinterface" and "you can't do that" on this discussion forum. I'm hoping to get the final answer!
I think if I get the basics of how that would work, that will get me to my next questions.
Thanks in advance!
08-16-2014 05:06 AM
The conflicting answers are because of the nuances of the possible situations.
You can put multiple ip addresses on an interface but they cannot be in the same subnet.
In your situation it just appears that the Barracuda works differently than the Palo Alto. Instead of putting multiple same subnet ip addresses on an interface the Palo Alto and most other firewalls only put one. You then use nat and proxy arp to forward those addresses down to the ultimate server destinations.
You can start with this document to determine what type of nat is best for your scenario.
08-16-2014 06:14 AM
What I have done several times is put a single public ip on the physical interface, then I create a loopback interface which has all of the other /32 addresses. Then create your NAT policies.
You may be able to skip the loopback portion but I have better luck with doing it.
08-16-2014 11:30 AM
Hi Steve,
You can have multiple IPs on an interface in the same subnet - but you don't seem to be able to do it from the GUI. (At least in 5.x - I've not tried in 6.x)
On the CLI; you can specify an additional IP (in the same subnet) on an interface as long as you do not specify any subnet mask.... (The GUI's validity checks ensures the slash of the subnet mask is specified - hence why you can't do this through the GUI.).
Here's an example from a live box,
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 tag 2
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 ip 10.20.1.254/18
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 ip 10.20.1.1
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.2 interface-management-profile PingAccess
It took a bit of frantic searching to get this working once; when I moved a LAN to a PA to find half the hosts on the LAN were using .254 for their gateway and the other half using .1!
Cheers,
aid
08-16-2014 11:33 AM
Yeah, you can skip the loopbacks as if an IP address is specified in a NAT rule that is in the same subnet as one of the interfaces of the firewall; the firewall will automatically "proxy arp" for this IP address on that LAN.
08-16-2014 01:34 PM
Can I use subinterfaces?
I tried reaching out to support, and he had me make a "blank" interface ethernet 1/1 and then a subinterface 1.1 1.2 and 1.3
I'm also having an issue where I cannot get traffic back through my FIOS router because of an ARP issue. I think I have that one figured out, though.
08-16-2014 01:35 PM
Another question ... can I accomplish this with NAT?
The .10 is going to my desktops, and the .12 is going to a mail server.
My concern is down thee road when I need two things on port 80 (or whatever) that I cannot move.
08-16-2014 02:55 PM
Sub-interfaces are what you use to connect the firewall to a switch trunk port with multiple vlans. This is the PA support for 802.1Q standard trunking. This would not be appropriate for your situation where all these address really are coming in from a single vlan on an untagged port.
Nat is the standard solution to the scenario you have where you want to take your carrier public addresses and forward either the entire address or selective ports to an internal address on your network.
One advantage of this method is that it is easy to change that server address down the road and the outside world never notices. they are still sending the same DNS entry and public address but the firewall simply changes the nat rule to hit a new server.
08-16-2014 07:07 PM
So with NAT policies on the PA-200 I can plug my FIOS cable into one of the ports and "listen" for all 5 public IPs on that cable?
08-16-2014 08:32 PM
Yes. And not just with the PAN200, that is how you would typically configure any perimeter firewall.
08-17-2014 04:07 AM
BRRABill wrote:
So with NAT policies on the PA-200 I can plug my FIOS cable into one of the ports and "listen" for all 5 public IPs on that cable?
As mackwage says, nat is the standard procedure for this operation on any firewall. The process works via proxy-arp from the interface facing your carrier. When an interface has the address configured it will automatically respond to requests from the FIOS for that address. Proxy-arp is when an address is used by nat the interface configured with a different address responses for that address. So there is no need for that address to be configured on the interface facing your FIOS.
On the PA when you configure this type of nat rule in the same subnet as the FIOS interface the firewall will automatically take care of the proxy-arp. On other firewalls you may have to specify the interface and ip address you want a proxy-arp to occur.
08-18-2014 06:50 AM
You can put mulitple /32s on an interface. Make the first IP you add have the correct subnet mask, and have all additional IPs have a /32. We do this today, right now, in production on our PAs.
08-18-2014 06:50 AM
Steven - you have to add IPs to the interface in question, otherwise the interface itself won't ARP out for inbound traffic.
You can put mulitple /32s on an interface. Make the first IP you add have the correct subnet mask, and have all additional IPs have a /32. We do this today, right now, in production on our PAs.
08-18-2014 06:53 AM
You just had to go and disagree. Now I have to set it up in my lab and test for myself. Lol :smileylaugh:
08-18-2014 07:03 PM
Well, what did you find out?
Can you see why I am having issues getting this configured? LOL.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!