https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40400#M29656 <HTML><HEAD></HEAD><BODY><P>We have installed PAN-2050 in my customer site.</P><P>It has been deployed with two L2 interface as vmwire.</P><P>And we made one L3 vlan interface for secondary IP.</P><P>There are 2 IP subnets. (192.168.10.0/24, 192.168.1.0/24)</P><P>One(192.168.10.0/24) is for user.</P><P>The other(192.168.1.0/24) is for DMZ server.</P><P>Both IP subnet set gateway as PAN L3 vlan interface.</P><P>And one VR is in PAN-2050 for its gateway.</P><P></P><P>User subnet which uses NAT policy can use internet and intranet service as well.</P><P>Problem is DMZ server couldn't use their service.</P><P>There are no security policy.</P><P>Maybe my configuration is wrong.</P><P></P><P>Please let me know what should I add any other configuration.</P></BODY></HTML> Mon, 16 Apr 2012 05:59:36 GMT sjlee 2012-04-16T05:59:36Z https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40400#M29656 <HTML><HEAD></HEAD><BODY><P>We have installed PAN-2050 in my customer site.</P><P>It has been deployed with two L2 interface as vmwire.</P><P>And we made one L3 vlan interface for secondary IP.</P><P>There are 2 IP subnets. (192.168.10.0/24, 192.168.1.0/24)</P><P>One(192.168.10.0/24) is for user.</P><P>The other(192.168.1.0/24) is for DMZ server.</P><P>Both IP subnet set gateway as PAN L3 vlan interface.</P><P>And one VR is in PAN-2050 for its gateway.</P><P></P><P>User subnet which uses NAT policy can use internet and intranet service as well.</P><P>Problem is DMZ server couldn't use their service.</P><P>There are no security policy.</P><P>Maybe my configuration is wrong.</P><P></P><P>Please let me know what should I add any other configuration.</P></BODY></HTML> Mon, 16 Apr 2012 05:59:36 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40400#M29656 sjlee 2012-04-16T05:59:36Z https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40401#M29657 <HTML><HEAD></HEAD><BODY><P>Can the servers reach the users? or is the problem just the servers not getting access to the Internet?</P></BODY></HTML> Mon, 16 Apr 2012 18:48:27 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40401#M29657 rmonvon 2012-04-16T18:48:27Z https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40402#M29658 <HTML><HEAD></HEAD><BODY><P>yes, server and users can communicat each other. </P><P>Server has a problem to access to internet. </P></BODY></HTML> Tue, 17 Apr 2012 00:22:13 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40402#M29658 sjlee 2012-04-17T00:22:13Z https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40403#M29659 <HTML><HEAD></HEAD><BODY><P>You should check your NAT rule to ensure the DMZ zone/address is included. </P><P></P><P>Also, you mentioned there is no security policy.&nbsp; The implicit deny all rule will block all traffic that does not match a security rule.&nbsp; You should have a security rule to allow traffic from DMZ to Internet.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 17 Apr 2012 04:23:04 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40403#M29659 rmonvon 2012-04-17T04:23:04Z https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40404#M29660 <HTML><HEAD></HEAD><BODY><P>The issue has been solved with no tcp-reject-non-syn option.</P><P>PA looked it as asymetric routing because syn is L3 flow and syn/ack is L2 flow.</P></BODY></HTML> Tue, 17 Apr 2012 04:50:35 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40404#M29660 sjlee 2012-04-17T04:50:35Z https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40405#M29661 <HTML><HEAD></HEAD><BODY><P>glad to hear it. </P><P></P><P>If this PA device is the only firewall in used, I recommend that you re-enable the 'tcp-reject-non-syn' as soon as possible and not leave it off for long.&nbsp; You should re-design the network to separate the user and DMZ zones into its own L3 zone, and remove the L2.&nbsp; This will permit you to enforce 'tcp-reject-non-syn' for security reason.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 17 Apr 2012 14:06:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-network-configuration/m-p/40405#M29661 rmonvon 2012-04-17T14:06:37Z