topic Shared Gateway and VSYS in General Topics https://live.paloaltonetworks.com/t5/general-topics/shared-gateway-and-vsys/m-p/31294#M22883 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've a basic setup with TWO vsys with separate vrouters on each vsys (Maketing and Sales ) and a shared Gateway. Some vpn Tunnels terminating on my shared gateway.</P><P>I need to implement some static NAT rules for my VPN tunnels, so far so good.</P><P>Routing 0.0.0.0/0 goes to the Shared gateway and of course other locally routes are routed locally by Vrouter on their respective Vsys.</P><P></P><P>But some address should be NAted before/through the VPN tunnel, which I thought should be configured on the shared gateway .But it doesn't work that way. I need to implement NAT rules on the MArketing or Sales Vsys.</P><P>Even a route from VSYS with destination the NAT address subnet towards vrouter of the Shared gateway doesn't seem to be cathed.</P><P></P><P>VIRTUAL ROUTER: RTVOUT01 (id 2)<BR />&nbsp; ==========<BR />destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nexthop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; metric flags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; age&nbsp;&nbsp; interface<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; next-AS<BR />10.14.6.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vr VR-SGOUT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>But when you perform a routing test ...</P><P></P><P>run test routing fib-lookup ip 10.14.6.1 virtual-router RTVOUT01</P><P>--------------------------------------------------------------------------------<BR />runtime route lookup<BR />--------------------------------------------------------------------------------<BR />virtual-router:&nbsp;&nbsp; RTVOUT01<BR />destination:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.14.6.1<BR />result:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; route not found</P><P></P><P>I found on KB of Palo Alto</P><P></P><P>Update: Fixed in 4.0.8</P><P class="MsoNormal"></P><P class="MsoNormal">there seem to be a problem with version 4.1 .</P><P class="MsoNormal"></P><P class="MsoNormal">Question: Would it be advisable to integrate a Shared Gateway into another VSYS ( INTERNET) with his vrouter and interfaces attached ? Because now the Shared Gateway isn't attached to a VSYS ..</P><P class="MsoNormal">Would the function shared gateway still work ?</P><P class="MsoNormal">In the documentation the shared gateway only has the NAT possibility. If I attach it to a VSYS I suppose I do have Security and NAT policies ??</P><P class="MsoNormal"></P><P class="MsoNormal">Thanks for any input ..</P><P class="MsoNormal"></P><P class="MsoNormal">Patrick</P></BODY></HTML> Fri, 11 May 2012 08:49:53 GMT slh 2012-05-11T08:49:53Z Shared Gateway and VSYS https://live.paloaltonetworks.com/t5/general-topics/shared-gateway-and-vsys/m-p/31294#M22883 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've a basic setup with TWO vsys with separate vrouters on each vsys (Maketing and Sales ) and a shared Gateway. Some vpn Tunnels terminating on my shared gateway.</P><P>I need to implement some static NAT rules for my VPN tunnels, so far so good.</P><P>Routing 0.0.0.0/0 goes to the Shared gateway and of course other locally routes are routed locally by Vrouter on their respective Vsys.</P><P></P><P>But some address should be NAted before/through the VPN tunnel, which I thought should be configured on the shared gateway .But it doesn't work that way. I need to implement NAT rules on the MArketing or Sales Vsys.</P><P>Even a route from VSYS with destination the NAT address subnet towards vrouter of the Shared gateway doesn't seem to be cathed.</P><P></P><P>VIRTUAL ROUTER: RTVOUT01 (id 2)<BR />&nbsp; ==========<BR />destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nexthop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; metric flags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; age&nbsp;&nbsp; interface<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; next-AS<BR />10.14.6.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vr VR-SGOUT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>But when you perform a routing test ...</P><P></P><P>run test routing fib-lookup ip 10.14.6.1 virtual-router RTVOUT01</P><P>--------------------------------------------------------------------------------<BR />runtime route lookup<BR />--------------------------------------------------------------------------------<BR />virtual-router:&nbsp;&nbsp; RTVOUT01<BR />destination:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.14.6.1<BR />result:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; route not found</P><P></P><P>I found on KB of Palo Alto</P><P></P><P>Update: Fixed in 4.0.8</P><P class="MsoNormal"></P><P class="MsoNormal">there seem to be a problem with version 4.1 .</P><P class="MsoNormal"></P><P class="MsoNormal">Question: Would it be advisable to integrate a Shared Gateway into another VSYS ( INTERNET) with his vrouter and interfaces attached ? Because now the Shared Gateway isn't attached to a VSYS ..</P><P class="MsoNormal">Would the function shared gateway still work ?</P><P class="MsoNormal">In the documentation the shared gateway only has the NAT possibility. If I attach it to a VSYS I suppose I do have Security and NAT policies ??</P><P class="MsoNormal"></P><P class="MsoNormal">Thanks for any input ..</P><P class="MsoNormal"></P><P class="MsoNormal">Patrick</P></BODY></HTML> Fri, 11 May 2012 08:49:53 GMT https://live.paloaltonetworks.com/t5/general-topics/shared-gateway-and-vsys/m-p/31294#M22883 slh 2012-05-11T08:49:53Z Re: Shared Gateway and VSYS https://live.paloaltonetworks.com/t5/general-topics/shared-gateway-and-vsys/m-p/31295#M22884 <HTML><HEAD></HEAD><BODY><P>Hi Patrick, what are you specific requirements with regards to applying NAT prior to your traffic ingressing your tunnel interface for VPN traversal?&nbsp; Do you need to perform source translation, destination translation, or both?&nbsp; Can you provide more details regarding your requirements or perhaps a specific example?</P><P></P><P>thank you,</P><P>-Bryan</P></BODY></HTML> Thu, 31 May 2012 01:01:35 GMT https://live.paloaltonetworks.com/t5/general-topics/shared-gateway-and-vsys/m-p/31295#M22884 bvandivier 2012-05-31T01:01:35Z