05-30-2011 09:43 PM
All,
I apologize if this has been asked before but I couldn't find anything related to my specific question. I am a newbie when it comes to firewalls in general. We are going to be migrating from ISA to the PA firewall shortly and I have a question about public IP's assigned to the outside(untrust) interface. On the ISA we "attach" all the public IP addresses to the outside facing interface so ISA can "listen" and respond to traffic destined for that IP address. From my reading it appears the PA doesn't need to have all the public IP's assigned to the outside interface as it will respond based on the subnet mask. For example, if I assign x.x.x.2/28 to the outside interface it will respond to traffic destined for any IP address in that range, is that correct? If so, would there be an issue if our outside router is using x.x.x.1? Would that appear to be two devices responding to traffic on the same IP?
If the PA will respond to all IP's in the subnet, how do I go about forwarding traffic based on a certain public IP? For example, our OWA server uses x.x.x.3 and a totally different IP in the trusted network. I also have multiple webservers that have different public IP's within our assigned range. Our public DNS records direct traffic to those IP's.
Without explicitly being listed, will the PA respond to all public IP traffic based on the subnet? Do I then create static NAT rules to direct all inbound traffic based on which public IP the traffic is hitting?
Hope this makes sense. Like I said, I am coming from ISA where the configs are wizard driven so even a newbie can set that up. ISA also doesn't use inbound NAT the way PA does as it does a reverse proxy so inbound NAT is kinda foreign to me. Thanks for any help that can be provided.
Ken
05-31-2011 01:19 AM
Well, you are almost right 
Yes, the PAN-device can and must exist within the same subnet as your default gateway (Palo IP *.2 vs default gw IP *.1). No, it doesn't "listen" to all available public IP's (proxy-arp for those IPs in the public subnet). It does however proxy-arp (listen) for for those IP's where you explicitly create NAT-policies.
You can create NAT-policies by having loads of IP's on your public (internet facing) interface. Another, more practical approach would be to have address book entries for both the public and private IP of the servers/hosts you wan't to NAT between. Example:
OWA_Pub = 195.x.y.5/32
OWA_Priv = 10.x.y.5/32
NAT policy to access OWA could look like:
From: Untrust_Zone To: Untrust_Zone From: ANY (IP) To: OWA_Pub NAT: Destination OWA_Priv
Security Policy could look like:
From: Untrust_Zone To: Trust_Zone From: ANY (IP) To: OWA_Pub Action: Allow
05-31-2011 08:21 AM
Thanks for the information. That is exactly what I needed. So the PA will only "listen", proxy-arp, on the public IP's I have a NAT policy. This is the piece that I was missing.
Ken
05-03-2012 01:26 AM
Let's say for example you do not NAT (i.e. IP forwarding). How would one go about loading multiple IP's on a single ethernet port?
05-26-2012 05:25 AM
Sorry my question was answered in another post.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
