IP Renumbering - trying to avert a slow motion disaster

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP Renumbering - trying to avert a slow motion disaster

L3 Networker

PAN-200

PAN OS 6


I am no networking guy, but he left, so there is me dealing with this.

We've embarked on a great project to renumber our IP addresses with very little thought in advance.

There aren't that many, we said. What could go wrong, we thought.  Well, for starters, one host that I've cutover to the new scheme can't see 'the internet' but his brothers who are in the old scheme can.

eth1/2/3 are layer 2, in  'coloprovider_msrp' vlan

eth4 is layer3, with IP address of 209.59.29.193/26

That latter IP is the gateway address of the hosts behind the PA-200.

A well meaning person told me to make this a 10.1.1.x network so I plugged that into my CIDR calculator and

Address: 10.1.1.1

Netmask: 255.255.0.0

Network Address: 10.1.0.0/16

Broadcast: 10.1.255.255

So.

I gave my test host an address of 10.1.1.4, gateway 10.1.0.0

In PA-200, ETH4 added the IP address 10.1.0.0/16

And LO my host can ping 10.1.0.0.  Great?  It cannot ping the internet - my test IP being 8.8.8.8

What am I doing wrong, oh mighty keepers of the networking flame ...

To-be physical diagram

physical.tiff

To-be Logical part one

logical-part-one.tiff

To-Be Logical part two

logical_part_two.tiff

Message was edited by: Brian Dunbar

11 REPLIES 11

L5 Sessionator

bdunbar Enjoyed reading your post :smileygrin:

Could you verify if that network is mentioned in the security as well as the NAT policy?

It does not appear to be mentioned in either my few security or NAT policy.

L3 Networker

FWIW here is my routing table before, and after ..

admin@tn-gateway-01> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   209.59.31.137                           10     A S              vlan.10

10.50.1.1/32                                10.50.1.1                               10     A S              tunnel.10

10.50.1.2/31                                10.50.1.2                               10     A S              tunnel.10

10.50.1.4/30                                10.50.1.4                               10     A S              tunnel.10

10.50.1.8/29                                10.50.1.8                               10     A S              tunnel.10

10.50.1.16/30                               10.50.1.16                              10     A S              tunnel.10

10.50.1.20/32                               10.50.1.20                              10     A S              tunnel.10

209.59.29.192/26                            209.59.29.193                           0      A C              ethernet1/4

209.59.29.193/32                            0.0.0.0                                 0      A H

209.59.31.136/29                            209.59.31.140                           0      A C              vlan.10

209.59.31.140/32                            0.0.0.0                                 0      A H

dmin@tn-gateway-01> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   209.59.31.137                           10     A S              vlan.10

10.1.0.0/16                                 10.1.0.0                                0      A C              ethernet1/4

10.1.0.0/32                                 0.0.0.0                                 0      A H

10.50.1.1/32                                10.50.1.1                               10     A S              tunnel.10

10.50.1.2/31                                10.50.1.2                               10     A S              tunnel.10

10.50.1.4/30                                10.50.1.4                               10     A S              tunnel.10

10.50.1.8/29                                10.50.1.8                               10     A S              tunnel.10

10.50.1.16/30                               10.50.1.16                              10     A S              tunnel.10

10.50.1.20/32                               10.50.1.20                              10     A S              tunnel.10

209.59.29.192/26                            209.59.29.193                           0      A C              ethernet1/4

209.59.29.193/32                            0.0.0.0                                 0      A H

209.59.31.136/29                            209.59.31.140                           0      A C              vlan.10

209.59.31.140/32                            0.0.0.0                                 0      A H

total routes shown: 13

L3 Networker

Interesting: I tried to delete the reference to 209.59.29.193/26 from eth4 and was told ..

Validation Error:

deviceconfig -> system -> route -> destination -> 209.59.29.221 -> source -> address '209.59.29.193/26' is not a valid reference

deviceconfig -> system -> route -> destination -> 209.59.29.221 -> source -> address is invalid

config commit phase 1 aborted(Module: routed)

Config commit phase 1 aborted(Module: device)

panike_daemon phase 1 aborted(Module: ikemgr)

config commit phase 1 aborted(Module: dhcpd)

config commit phase 1 aborted(Module: varrcvr)

modhttpd phase 1 aborted(Module: l3svc)

Now .. 209.59.29.221 is one of two active directory servers I have.  And of course, I have UserId talking to them.  Ideas?

We really need to see a network topology and what the change of address affects old versus new.

Security policies and nat rule changes are already mentioned.

You seem to have vpn connections using static routes, this will likely mean you also need to make routing changes at those remote sites to reach the new network and then decommission the old one as well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I need to update my diagrams to reflect changes that were inflicted last night - I'll do that and update.  Not the very least because I need to update.

I did also create a support case last night (there was talk around the cage that the problem was a defective unit, and more talk that we should just nuke the firewall and reinstall from scratch, and I really, really, wanted to not do that).  The support tech, Ceaser, ID'd the problem, in a nutshell, and my words, 'you are trying to route a non-routable network'.

He sent notes, and suggested we get in touch with our SE (I didn't know we had one of those!) but, in a nutshell, the fix is to take my three layer 2 interfaces and make them layer 3.

"Non-routable networks don't route".  Seems so obvious after-the-fact.

For what it is worth, I have attached the to-be physical and logical diagrams. 

L3 Networker

HI,

10.1.0.0/16 is not a legal IP address to apply to your firewall - that's actually the subnet address.

Update your firewall to use 10.1.1.1/16 and place your hosts with 10.1.1.x (where x > 1!) addresses with a net mask of 255.255.0.0 and a default gateway of 10.1.1.1.

Good luck

aid

Interesting.  Those documents are now out-of-date.

Last night I was on the phone with Wes, our Palo Alto SE (hi, Wes) and we did this ..

eth4 IP

10.1.0.1/16

209.59.29.193/26

Applied this IP to a host

IP 10.1.1.40

Subnet: 255.255.0.0

Gateway: 10.1.0.1

And it worked.

Sure, of 65535 addresses from 10.1.0.0 through to 10.1.255.255 - these two are the only ones you can't use as the gateway.  Was bad luck choosing one of them. 😉

Did you get some suitable NAT sorted out with the PA SE?

Did you get some suitable NAT sorted out with the PA SE?


We did: kudos to Wes for being awesome.

  • 6523 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!