Route Public IP range through Shared Gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Route Public IP range through Shared Gateway

L0 Member

Hi guys,

 

I hope you can lend me a hand here.

 

Our ISP finally allocated us a Public /25 (aa.bb.cc.0/25) subnet which will be routed via the existing /30 (xx.yy.zz.2/30) internet link that we have.

 

We want to split it in half and use the Shared Gateway to route the traffic. The first half is for our webservers in VSYS1 . The other half is for office users who are in VSYS2, which is where we also want our Global Protect to terminate on.

 

(Before I start breaking things apart)

 

Q: Because we now have public IPs, should i continue to do all the NATs on the Shared Gteway, OR can I now use each VSYS to do the NAT'ing? We prefer the latter, but I'm not sure what else will break of what else to consider going down this path

 

Thanks!

 

 

 

2 REPLIES 2

L4 Transporter

Hi,

 

I guess having NATs in Shared gateway will be more appropriate. If you configure NAT on vsys, there will be routing considerations on the Shared gateway vsys.

 

Here is an article for a bidirectional NAT involving shared gateway: https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-Destination-NAT-using-a-VSYS...

 

Please see if it helps. You can approach TAC if need any specific help.

 

Best Regards,

Abhishek

L3 Networker

I would second the NAT option.  Setup a private subnet for each group of web servers (on their own zones) and then just NAT the traffic.  I would create a static by-directional NAT on the PA FW and then setup inbound Security Rules to only allow the inbound traffic to the servers on their proper protocol.

  • 1891 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!