Multiple External IP Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple External IP Problem

Not applicable

Hi all

I have a brand new PA500 that I have setup and everything is working fine in the outbound direction e.g. i can access the internet etc.. the problem i have is in the inbound direction. My external interface IP address is set to 89.238.148.194/28 and I have a number of other external IP addresses that i need to NAT to internal private IP addresses these are as follows:

External IP               Internal IP

89.238.148.196          172.16.0.7 - Microsoft ISA

89.238.148.197          172.16.0.7 - Microsoft ISA

89.238.148.198          172.16.0.13 - SMTP Traffic

89.238.148.199          172.16.0.39 - Port 80 Traffic

89.238.148.200          172.16.0.10 - Port 443 Traffic

The problem comes when i try and add the multiple external IPs to the external interface of the PA500 i get the following error:

OperationCommit
StatusCompleted
ResultFailed
Details  
  • routed: In virtual-router default: address 89.238.148.199/28 on interface  ethernet1/1 has overlapping subnet with address 89.238.148.194/28 on interface  ethernet1/1.
  • Commit failed

We currently have a watchguard firewall and all i do on this to add multiple external IPs is to add the additional IPs as secondary networks but with the PA500 i cant figure out why its not working.
Please any help would be great!!
Matt
7 REPLIES 7

L4 Transporter

Hi Matt,

The way to configure this is to configure NAT rules in your policies tab.

Just configure a rule per NAT that you stated and set the destination addressing.

I assume that you have an interface in the specified subnet on your external interface. That should do the trick.

Then make sure your security policies allow the incoming traffic.

Marcel.

L0 Member

Hi Stevenson,

you don't need an IP address bouned to an interfece per each NAT rule. PAN device (like many firewalls) replies to the ARP requests per each public IP address you have configured in your NAT policy.

Regards

L1 Bithead

Hi Matt,

Try using /32 as the netmask for any additional IP addresses. For example if you want to assign lets say 172.16.5.2, 172.16.5.3 and 172.16.5.4 to a single interface, you would add:

172.16.5.2/24   <- using the correct netmask here

172.16.5.3/32

172.16.5.4/32

This worked for me.

Hope this helps...

Not applicable

Nating is the route you need to take.  Example similar to yours, where I have multiple servers inside the PA unit.

The first thing I did to make it easier was to create Address objects for each server:

     Example:     ISAServer1_DMZ = 172.16.0.7 (internal address ip)

                         ISAServer1_Public = 89.238.148.196 (the public internet address)

Next you would go to Policies-->NAT

     Source Zone would be your internet facing interface zone.

     Destination zone would also be your internet facing zone.

     Destination Address would be "ISAServer1_Public"

     On the Translate tab you would choose Destination Translation with an address of "ISAServer1_DMZ" as translated address

That's for incoming.  I've also done an outgoing NAT for each of my servers so they always report their own public IP.  You would use a Static NAT for that.

Take this with a grain of salt.  This is the first PA unit I've worked with and only started about 3 weeks ago.    

dkraus - this is not the correct way to do multiple IPs on the external interface of a PAN.

If you add the address a.b.c.d/24, the firewall will ARP for any address in that subnet.  You don't need to add extra addresses on the interface, you just add the NAT rules you need and the firewall will answer for any IP that has a matching NAT rule.

This is different from many firewalls, where you have to explicitly add each individual IP you want to answer on the external iface.

If you do only want to use a single address, or say 3 addresses out of a /28 block or something, just add each of those individual ones as /32 on the external interface.  This insures that the PAN couldn't possibly attempt to ARP for any of the other addresses.

Greetings! thanks for this information.

I am currently having this problem and i have done the NAT policies. unfortunately i still have the same problem.

Can you provide a screenshot of your solution? maybe i am doing something wrong with my configuration.

Appreciate the help!

Regards,

DAX

That sounds really odd.

Of course you must specify the true netmask somewhere for a L3 interface so the PA unit knows whats local (and send arp whois) and whats remote (and to be sent to defgw or nexthop).

  • 4222 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!