Is it possible to use public IPs on the same subnet on different interfaces?

Reply
asia
L3 Networker

Is it possible to use public IPs on the same subnet on different interfaces?

Hello,

We want to use inbound NAT in different VSYS on a PAN 4020 device. The question is, is it possible to use adresses(mip equivalent on netscreen devices) from the same subnet on different phisycal interfaces in different vsys? On netscreen devices we must split adresses in different subnets and make routing on network routers behind the firewall, is the same condition present on Palo Alto devices or we can make it work without this kind of segmentation.

Thank you for your answers.

Regrd's.

Tags (1)
reaper
L7 Applicator

Hi

yes this is possible, but it requires a separate virtual router per physical interface in  the same subnet.

Since you are working with multiple vsys you will already have a separate VR from the one that holds the original IP subnet, so you can create an interface in the same subnet as the first VR

regards

Tom

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
brownn
L0 Member

Hi,

Along the same lines as this is it ok to have 2 seperate vrouters (same vsys), each with an interface attached to the same subnet and with the interfaces assigned the same zone?

Many thanks

bryan
L3 Networker

Hello,


As far as whether or not this is possible, yes. You can create (2) unique VR's within the same vsys (assigning each physical L3 interface to their designated VR's), assign IP's to each of the L3 interfaces on the same subnet, with both interfaces (seperate VR's) assigned to the same zone. (as long as the IP's do not conflict as the PAN will not allow you to commit).

As far as functionality/expected behavior, I'd suggest implementing/experimenting with this configuration in a test environment.


Regards,


Bryan

brownn
L0 Member

Thanks bryan,

I assumed it was possible as well but when I tried it an incoming service that was dst NAT'd broke and I have yet to figure out why. There was a gap in the log traffic until I had removed the changes so basically the Palo was not seeing the incoming traffic from the Internet for this particular service. The only thing I could think of was that maybe the Palo started to proxy-arp out of the new interface hence pulling traffic into the wrong vrouter. It was just a theory and not one I can prove without breaking the environment again at the moment! I need to schedule an out-of-hours change to try again.

bsanders
L2 Linker

Hi,

We have built a similar config, but on 1 vsys with 4 ip adresses in one subnet on the public interface.

At first we were only able to configure this using the primary IP with a /29 subnet and the other 3 IP adresses with a /32 subnetmask.

Not the cleanest configuration of course. Eventually we found out that it is possible to configure just one IP address with /29 and just configure the other adresses using the NAT configuration.

This seems to work perfectly fine.  Probably not a direct answer, but it might push others in the right direction.

Best regards,

Bas Sanders

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!