Route Public IP range through Shared Gateway

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Route Public IP range through Shared Gateway

Hi guys,

 

I hope you can lend me a hand here.

 

Our ISP finally allocated us a Public /25 (aa.bb.cc.0/25) subnet which will be routed via the existing /30 (xx.yy.zz.2/30) internet link that we have.

 

We want to split it in half and use the Shared Gateway to route the traffic. The first half is for our webservers in VSYS1 . The other half is for office users who are in VSYS2, which is where we also want our Global Protect to terminate on.

 

(Before I start breaking things apart)

 

Q: Because we now have public IPs, should i continue to do all the NATs on the Shared Gteway, OR can I now use each VSYS to do the NAT'ing? We prefer the latter, but I'm not sure what else will break of what else to consider going down this path

 

Thanks!

 

 

 

Highlighted
L4 Transporter

Hi,

 

I guess having NATs in Shared gateway will be more appropriate. If you configure NAT on vsys, there will be routing considerations on the Shared gateway vsys.

 

Here is an article for a bidirectional NAT involving shared gateway: https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-Destination-NAT-using-a-VSYS...

 

Please see if it helps. You can approach TAC if need any specific help.

 

Best Regards,

Abhishek

Highlighted
L3 Networker

I would second the NAT option.  Setup a private subnet for each group of web servers (on their own zones) and then just NAT the traffic.  I would create a static by-directional NAT on the PA FW and then setup inbound Security Rules to only allow the inbound traffic to the servers on their proper protocol.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!