We want to use inbound NAT in different VSYS on a PAN 4020 device. The question is, is it possible to use adresses(mip equivalent on netscreen devices) from the same subnet on different phisycal interfaces in different vsys? On netscreen devices we must split adresses in different subnets and make routing on network routers behind the firewall, is the same condition present on Palo Alto devices or we can make it work without this kind of segmentation.
Thank you for your answers.
yes this is possible, but it requires a separate virtual router per physical interface in the same subnet.
Since you are working with multiple vsys you will already have a separate VR from the one that holds the original IP subnet, so you can create an interface in the same subnet as the first VR
As far as whether or not this is possible, yes. You can create (2) unique VR's within the same vsys (assigning each physical L3 interface to their designated VR's), assign IP's to each of the L3 interfaces on the same subnet, with both interfaces (seperate VR's) assigned to the same zone. (as long as the IP's do not conflict as the PAN will not allow you to commit).
As far as functionality/expected behavior, I'd suggest implementing/experimenting with this configuration in a test environment.
I assumed it was possible as well but when I tried it an incoming service that was dst NAT'd broke and I have yet to figure out why. There was a gap in the log traffic until I had removed the changes so basically the Palo was not seeing the incoming traffic from the Internet for this particular service. The only thing I could think of was that maybe the Palo started to proxy-arp out of the new interface hence pulling traffic into the wrong vrouter. It was just a theory and not one I can prove without breaking the environment again at the moment! I need to schedule an out-of-hours change to try again.
We have built a similar config, but on 1 vsys with 4 ip adresses in one subnet on the public interface.
At first we were only able to configure this using the primary IP with a /29 subnet and the other 3 IP adresses with a /32 subnetmask.
Not the cleanest configuration of course. Eventually we found out that it is possible to configure just one IP address with /29 and just configure the other adresses using the NAT configuration.
This seems to work perfectly fine. Probably not a direct answer, but it might push others in the right direction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!