Secondary interface addresses

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secondary interface addresses

Not applicable

I'm trying to add more of the public IP addresses issued by my ISP to the external port on my PA-500.  When I try to commit the config, I get this error:

  • routed: In virtual-router Incoming: address 12.x.x.x/27 on interface ethernet1/1 has overlapping subnet with address 12.x.x.x/27 on interface ethernet1/1.
  • Commit failed

I have a range of 30 addresses, but can only seem to add one to the interface.  What am I missing?


Not applicable

It would seem that as I continue my research, I'm finding that the subinterfaces require VLAN tags.  I'm not certain how this will affect my traffic on the internal network.  I have some VLANs, but I wasn't planning to create new ones to accomodate the incoming traffic.  In my current firewall, I just add a list of secondary IP addresses and go about the business of NAT'ing those to other LAN addresses.  Maybe I should be looking at it another way?

L0 Member


Basically, if you put in an address of 12.x.x.1/27, for example, on an external interface of the pan, that means that we are going to be listenting for all of the IPs in that range (27 bit mask = 30 addresses). Thus putting another IP of 12.x.x.2/27 on the same interface would be redundant, and the range would be exactly the same as the first entry, causing the overlap error.

You can add individual IP addresses on the interface with a /32. For example you will be able to committ if you add the addresses like this:




But, I doubt that what you want to do is to put all 30 public IP addresses on the external interface of the firewall. But without knowing your network topology in more detail, and what your ultimate goal is in how you want to use those 30 public IPs, it's difficult for me to help you further.



So looking at your 2nd post it sounds like what you want to do is to have an outbound NAT that maps each of your internal subnets to one of the public IP addresses you received from the ISP. For example,

192.168.100.x maps to 12.x.x.1

192.168.101.x maps to 12.x.x.2

and so on.

In the PAN firewalls, this is accomplished using a NAT Policy. You can refer to page 151, figure 84 for Dynamic Source Address Translation in the PAN OS 3.0 Admin Guide for an example, but basically you create a source address translation NAP Policy for each of the subnet NAT mappings. When you create the NAT Policies, the PAN firewall will automatically proxy ARP for the public IP, and you do not need to explicitly add the IPs on the untrust interface.


"Basically, if you put in an address of 12.x.x.1/27, for example, on an external interface of the pan, that means that we are going to be listenting for all of the IPs in that range (27 bit mask = 30 addresses). "

Ah, that makes more sense.  In our current configuration, we use a small handful of that 30 address range to NAT individual websites and domains that we serve to the Internet.  Multiple sites under multiple domains.  The existing firewall requires each public address to be entered as a secondary on the external interface before you can put it in the NAT table.  I'll have to look at your suggestions on the NAT policy in the PA-500.  It seems that my preconceptions from previous firewalls are leading me astray when it comes to these new (and *better!*) ways of doing the same things.

Thanks for your help!

  • 4 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!