This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Presales question: External IP address assigned through DHCP and /29 routed to this IP, possible?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Presales question: External IP address assigned through DHCP and /29 routed to this IP, possible?

HaVaNL
L0 Member

‎04-28-2019 08:48 AM

Hi all,

 

I am considering to replace my Cisco ASA 5505 by a PA-220.

My situation is as follows:

  1. The external interface is part of a trunk where internet connectivity is delivered on a specific VLAN.
  2. The IP address on the external interface is assigned by DHCP which unfortunately is mandatory.
  3. A public /29 subnet is routed to that DHCP assigned IP address. This /29 subnet is part of a different subnet than the DHCP assigned IP address.
  4. I am able to use the /29 subnet to publish internal servers with private IP addresses to the internet where it doesn't matter in which internal private subnet these machines are located (DMZ, LAN).

As soon as the ASA has a NAT rule and a security rule it will happily start forwarding packets the the published server. There is no need to assign any of the /29 IP addresses to any interfaces. For ease of management I just create an object for each IP address (x.x.x.x/32) and use it in the NAT rules.

 

Before I'm going to buy a PA-220 I need to know if it can do this as well.

So far studying the documentation and knowledge base I figured out that 1 and 2 should be no problem. But I can not find anything on 3 and 4.

 

So the big question is can the PA-220 do 3 and 4?

If yes how?

 

Regards,

Han.

 

0 Likes Likes
1 REPLY 1

Remo
L7 Applicator

‎04-28-2019 10:31 AM

Hi @HaVaNL 

 

@HaVaNL wrote:

As soon as the ASA has a NAT rule and a security rule it will happily start forwarding packets the the published server. There is no need to assign any of the /29 IP addresses to any interfaces. For ease of management I just create an object for each IP address (x.x.x.x/32) and use it in the NAT rules.

On the PA this works in exactly the same way, so yes also point 3 and 4 are possible.

 

Regards,

Remo

 

0 Likes Likes
  • 2334 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks