I hope you can lend me a hand here.
Our ISP finally allocated us a Public /25 (aa.bb.cc.0/25) subnet which will be routed via the existing /30 (xx.yy.zz.2/30) internet link that we have.
We want to split it in half and use the Shared Gateway to route the traffic. The first half is for our webservers in VSYS1 . The other half is for office users who are in VSYS2, which is where we also want our Global Protect to terminate on.
(Before I start breaking things apart)
Q: Because we now have public IPs, should i continue to do all the NATs on the Shared Gteway, OR can I now use each VSYS to do the NAT'ing? We prefer the latter, but I'm not sure what else will break of what else to consider going down this path
I guess having NATs in Shared gateway will be more appropriate. If you configure NAT on vsys, there will be routing considerations on the Shared gateway vsys.
Here is an article for a bidirectional NAT involving shared gateway: https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-Destination-NAT-using-a-VSYS...
Please see if it helps. You can approach TAC if need any specific help.
I would second the NAT option. Setup a private subnet for each group of web servers (on their own zones) and then just NAT the traffic. I would create a static by-directional NAT on the PA FW and then setup inbound Security Rules to only allow the inbound traffic to the servers on their proper protocol.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!