Palo Alto BGP advertise (not connected public ip Blocks direct to PA ) Public IP Block
Good afternoon, I have the following doubt about how to complete this configuration, I have seen this with cisco ASA, but I don't know how to apply it in Palo Alto, please help me.
-Block Public IPs
-ISP router connect to BGP Palo Alto
-Palo Alto connect to BGP Router ISP
How can I do so that the range of public IPs, which is not directly connected to Palo Alto, can operate correctly, for example for the Global Protect configurations and above all for the Nat-port forwarding configurations.
I mean we have the block of public IPs, which are not directly connected to the PA, but they should be attached to the PA so that they can be used in NATs for example.
Is it possible to configure this in the PA ? can it be configured at the BGP level ? and that the ISP router continues to publish this network, but that makes the public IPs can be used by the PA, for example for NATs.
Please your support and collaboration, thank you very much greetings and attentive to your comments
It depends how your ISP makes this block available to you. Are you required to configure BGP to claim these IP addresses, or is BGP taken care of by the ISP router on the internet side and do you simply get to use the IPs on the inside? In both cases, you can simply configure NAT rules for the IPs you want to use which will cause the firewall to start broadcasting proxy-ARP for that IP (claiming the IP at the local network level which you need if BGP is not used). You can also set up loopback interfaces with the appropriate IP, or set secondary IPs on the external interface, so you can use the IP in GP config. If you are not supposed to set up BGP, your ISP needs to add a route that redirects your public block to your firewall untrust IP