Palo Alto Networks Knowledgebase: DotW: Multiple IP Addresses on an Interface
DotW: Multiple IP Addresses on an Interface
Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:51 PM
How do you assign more than one IP address to a single interface? We offer two ways to do it, and tell you which way we find most secure. User adiazm from our community poses the puzzler highlighted in this week's Discussion of the Week (DotW).
If your ISP has provided you with an external IP range that allows for more than two hosts (firewall and router) in the subnet, for example, a subnet mask of /29 or larger, these additional IP addresses can be assigned to specific servers or services hosted on your network, or be used to hide different segments of your internal resources while going out to the Internet.
For NAT configuration, the additional IP addresses do not necessarily need to be configured on the interface: the firewall can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.
Source NAT can therefore be configured like this...
or destination NAT like this:
Without having the specific IP address configured to the interface.
If you prefer to have the additional IP addresses attached to an interface for ease of use, or in the scenario where an interface needs to be assigned to GlobalProtect Gateway and Portal, there are 2 options available:
Add the IP address as a /32 subnet to the existing interface
Add the IP address as a loopback interface
The preferred and recommended configuration is to use the loopback interface option to allow some addional security configuration that, depending on the circumstances, could come in handy. The loopback interface can be configured with its own security zone. This allows for different security policies to be applied to this IP address compared to the IP range attached to the interface.