This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Static Subnets to be redistributed to BGP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Static Subnets to be redistributed to BGP

yuyingchenk
L0 Member

‎06-18-2020 02:20 AM

Hi Everyone, 

 

I am new to PA, at the moment I have got a virtual PA: 

- ethernet1/1 (Internal zone) connects to Internal router (run iBGP between)

- ethernet1/2 (Internet zone) connects to Internet router (run eBGP between)

- Setup static 1-to-1 NAT on PA, between zone Internal and Internet, NAT subnet is 203.x.x.x/24

- Setup GlobalProtect on loopback.1 interface with IP 203.x.x.1/24, Internet zone

- Setup GlobalProtect pool subnet 192.168.2xx.0/24, with tunnel.5 interface (192.168.2xx.254), VPN zone

 

I would like to advertise the following subnets, with the given conditions:

- PA advertise DMZ 203.x.x.x/24 to Internet router ONLY if PA keep the connection with Internal router

- PA advertise GlobalProtect pool subnet 192.168.2xx.0/24 to Internal router ONLY if PA keeps the connection with Internet router

 

What I have done: 

- Create 2 static routes for DMZ 203.x.x.x/24

          - static route with AD 10, interface ethernet1/2 without next-hop (this route intends to tell FW where is DMZ subnet)

          - static route with AD 20, interface ethernet1/1 without next-hop, and apply a path monitoring entry, monitor ping from PA to internal network (this route is intended for BGP advertisement, it will be removed from the route table if connection between PA and internal router is DOWN)

 

- Create 1 staitc route for GlobalProtect pool 192.168.2xx.0/24

          - static route with AD 20, interface ethernet1/1 without next-hop, and apply a path monitoring entry, monitor ping from PA to Internet network (this route is intended for BGP advertisement, it will be removed from the route table if connection between PA and internet router is DOWN)

          - PA has got a connected rotue (AD 0) for 192.168.2xx.0/24 as per tunnel.5 interface

 

- Create redistribution profiles for DMZ and GlobalProtect pool subnet separately

 

- Within BGP, add required export rules and redis rules

 

I have tested the route advertisement & link up/down, it works as expected ... however, I am not 100% confident as I am not sure if this way has any unforeseen issue. Any suggestions are welcome, many thanks. 

0 Likes Likes
0 REPLIES 0
  • 1778 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks