Policy forwarding question.

roadracer96 — Mon, 01 Apr 2013 12:56:13 GMT

An over-simplified explanation of my setup. Trust me, it just has to be this way.

ethernet1/1 - Internet 1.2.3.1/24

ethernet1/2 - LAN 10.10.10.1/24

Nat/dnat/1-1 nat between ethernet 1/1 and 1/2

I have a traffic shaping appliance that I need to loop data through BEFORE NAT on the palo.

Trust me when I say I just cant stick it between the lan and palo. In a nutshell, I have multiple virtual systems that all need to be looped through the shaper in a complex network. Only data destined for the internet should go through the traffic shaper.

I WANT to do this:

ethernet1/1 - Internet 1.2.3.1/24

ethernet1/2 - LAN 10.10.10.1/24

ethernet1/3 - 10.0.0.1/30 Shaper Internal side, in LAN zone

ethernet1/4 - 10.0.0.2/30 Shaper External side in LAN zone

The shaper is transparent. It would be the same as ethernet1/3 and 1/4 being patched together.

Policy forwarding.

Anything outbound to internet from lan zone, next hop 10.0.0.2 egress interface ethernet 1/3

Anything coming in from internet zone to lan, next hop 10.0.0.1 egress interface ethernet 1/4

I tried this once with to virtual routers in the vsys and routing between them. It didnt work as I expected. I stopped there and figured I would ask if im barking up the wrong tree and it just isnt going to work.

Input welcome! Thanks!

Re: Policy forwarding question.

roadracer96 — Mon, 01 Apr 2013 14:38:13 GMT

I think I figured what I was doing wrong. I think the policy was matching on return from the packet shaper and being sent through it again until TTL expired.

topic Re: Policy forwarding question. in General Topics

Policy forwarding question.

Re: Policy forwarding question.