Multiple external IP's and Global protect (Not NAT)

Reply
Highlighted
L3 Networker

Multiple external IP's and Global protect (Not NAT)

Hi

I did a search on the forums for multiple IP's and found a lot of posts talking about how the Palo deals with multiple external IP's - i.e. if your ISP assigns you a /29 block and you need to NAT multiple application into your network. So basically you pick one IP, load that on the Palo interface and then just do NAT. Palo will ARP for any additional IP's used in NAT rules without the need to load those additional IP's on the Palo interface. I would prefer to load the IP's on the interface regardless of NAT because then you can see which external IP's has been allocated to the Palo.

This post kinda touch on the need to have additional IP's loaded somewhere on the Palo, but it is not for NAT, it’s for Global Protect. How do I go about loading the additional external IP's from the /29 block on the Palo box to use in my Global Protect configuration? - i.e. I need one external IP for the gateway and another for the portal. Or what is the recommended way of setting this up?

Thanks

Highlighted
L6 Presenter

Hi...You can load additional IPs onto the interface simply by adding them with a /32 mask to denote a single host.  Here's an example of adding .2 and .3 to an existing interface.

For Global Protect, you can assign the IP/32 to a loopback interface.  Thanks.

Highlighted
L4 Transporter

hi,

I can directly select interface and 32bit IP Address which assigned .1/24 .2/32 .3/32 at GP setting window.

Which is better to use for GP, direct inteface or loopback interface?

I want to the specific reason why you answers using loopback I/F.

Highlighted
L6 Presenter

I think (just guessing) that using loopback would be better in Active/Active situations.

Highlighted
L6 Presenter

You can use a loopback interface whenever you don't want to tie it to a physical port and to have more flexibility.  You may be connected to several ISPs but don't want to assign an IP/32 to a port in case the port goes down.  Using the loopback would allow the IP/32 to be reachable across all ports and not be affected by port goin up & down.

Thanks.

Highlighted
L4 Transporter

I know I'm reviving an old thread, but I figured I'd toss this tip in there too in case anyone else stumbles across this thread...

You can also build untagged subinterfaces off a main interface if for some reason you want your multiple assigned IP addresses to be in separate zones

So you can have your main eth1/1 interface, and then have eth1/1.1 be in zone untrust1, eth1/1.2 be in zone untrust2, eth1/1.2 be in zone untrust3, etc.

The "untagged subinterface" part is so that you don't have to convert the interface to a trunk port - the subinterfaces are logically separate, but don't correlate to specific VLANs (which is the normal way one thinks of subinterfaces e.g. on a router with a switch)

L0 Member

I cannot seem to duplicate this.  I keep getting Operation Failed: units -> ethernet1/1.2 constraints failed : tag is required.

Am I missing a step somewhere?  I would like to have a second external ip assigned on a sub-interface of eth 1/1 so that I can manage that traffic differently with an "Untrust-VPN" zone.

Highlighted
L0 Member

I found what I needed here for anyone who may need it as I did.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!