topic Re: Communication within different Trust Zones in General Topics

Communication within different Trust Zones

BBDOmexico — Wed, 26 May 2010 19:26:27 GMT

Hi,

I am working with PAN-500 3.0.9.

I have configured 2 trust zones and 2 untrusted zones.

l3-trust IP 192.168.0.254/22; l3-untrust 200.78.x.x

l3-trust2 IP 192.168.10.254/24; l3-untrust 201.161.x.x

I need that users from l3-trust get access to servers located at l3-trust2.

I have this policy:

From l3-trust2 to l3-trust source address 192.168.10.0/24 destination address 192.168.0.10-192.168.0.25 Action Allow.

From l3-trust to l3-trust2 source address 192.168.0.10-192.168.0.25 destination address 192.168.10.0/24 Action Allow.

Right now, this is not working.

I hope you could help me.

Thanks.

Re: Communication within different Trust Zones

swhyte — Wed, 26 May 2010 21:00:42 GMT

Hello there,

you sceneario looks very straight forward.

I would verify the following:

1. the l3-trust and l3-trust2 interfaces are on the same virtual router on the Paloalto device

2. Are there any NAT rules that any of the traffic between these two zones could be catching.....for example do you have a NAT rule that says source zone: l3-trust and destination zone any....

3. For now you can make sure that the application and the service are both set "any"......this of course is only while you are troubleshooting to illiminate the possibility of you not allowing the applications you are expecting to pass traffic (...like ping)

4. You can set the source and destination addresses to any also....this is to make sure that you did not make mistake while typing in the source and destination address or while creating the address objects.

5. Verify the routing in your network. Basically make sure that the network that when the network 192.168.0.254 tries to route to 192.168.10.x, it is pointed to the Paloalto device....check this going the other way also. Please be dilligent is checking the routing as this is often the root of issues like this.

If you are still having issues after checking the above then please call into support and we can aid in isolating the source of this issue.

thanks!

Stephen

Re: Communication within different Trust Zones

veera12883 — Tue, 08 Jun 2010 10:45:20 GMT

Hi,

The similar problem we also facing...both the trust and trust2 communication is happening if i put NAT rule (likey source zone trust and destination zone trust2 and destination interface should be the trust interface) then its working...though some time ICMP is not working between two trust zones where as FTP and remote desktop is working..the same as been tested with different OS and different model of PAN.suggest me to fix this problem

Re: Communication within different Trust Zones

znlwin — Wed, 12 Jun 2013 02:18:10 GMT

I am working with PAN-3020 Ver 5.0

I have configured 2 trust zones and 2 untrusted zones with two VRs configured as default routes.

l3-trust IP 192.168.0.254/22; l3-untrust 200.78.x.x , VR1 (NAT, configured as default route)

l3-trust2 IP 192.168.10.254/24; l3-untrust2 201.161.x.x , VR2 (NAT, configured as default route)

I need that users from l3-trust get access to servers located at l3-trust2.

Could you please help how to implement on this scenario?

Thanks in advance.

Re: Communication within different Trust Zones

Retired Member — Wed, 12 Jun 2013 06:37:44 GMT

Hi znlwin,

VR1 you have to add route 192.168.10.0/24 next VR VR2

VR2 you have to add route 192.168.0.0./24 next VR VR1