Palo Alto Networks Knowledgebase: DotW: Multiple IP Addresses on an Interface

DotW: Multiple IP Addresses on an Interface

(2680 Views)
Created On 09/25/18 18:59 PM - Last Updated 09/25/18 23:11 PM
Categories: 

Issue:


Solution:


How do you assign more than one IP address to a single interface? We offer two ways to do it, and tell you which way we find most secure. User adiazm from our community poses the puzzler highlighted in this week's Discussion of the Week (DotW).

 

 

2015-10-19_11-20-07.png

 

If your ISP has provided you with an external IP range that allows for more than two hosts (firewall and router) in the subnet, for example, a subnet mask of /29 or larger, these additional IP addresses can be assigned to specific servers or services hosted on your network, or be used to hide different segments of your internal resources while going out to the Internet.

 

For NAT configuration, the additional IP addresses do not necessarily need to be configured on the interface: the firewall can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.

 

Source NAT can therefore be configured like this...

2015-10-19_13-47-48.png

or destination NAT like this:

2015-10-19_13-47-13.png

 

Without having the specific IP address configured to the interface.

2015-10-19_13-45-00.png

 

 

If you prefer to have the additional IP addresses attached to an interface for ease of use, or in the scenario where an interface needs to be assigned to GlobalProtect Gateway and Portal, there are 2 options available:

 

  • Add the IP address as a /32 subnet to the existing interface2015-10-19_14-00-44.png
  • Add the IP address as a loopback interface2015-10-19_14-02-30.png

The preferred and recommended configuration is to use the loopback interface option to allow some addional security configuration that, depending on the circumstances, could come in handy. The loopback interface can be configured with its own security zone. This allows for different security policies to be applied to this IP address compared to the IP range attached to the interface.

 

Thank you for readingfeel free to comment below.

 

Read the original discussion here: Multiple Addresses in the same ethernet interface

 

Thanks!

Tom

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSDCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: