topic Edinburgh - pbf + zone lookup snafus in General Topics https://live.paloaltonetworks.com/t5/general-topics/edinburgh-pbf-zone-lookup-snafus/m-p/5867#M4274 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm seeing the following.</P><P></P><P>Consider:</P><P>- two existing Internet lines, put in zones "I-1" and "I-2"</P><P>- there are two L3 interfaces, one in I-1 with address PA-1, one in I-2 with address PA-2</P><P>- the default route goes to a router reachable in I-2</P><P>- there's a PBF policy to forward <EM>everything</EM> to a router in I-1</P><P></P><P>There are two destination NATs:</P><P>- from zone I-1 to address PA-1, tcp port 25, dnat to some internal address A</P><P>- from zone I-2 to address PA-2, tcp port 25, dnat to some internal address A</P><P></P><P>This does not work.&nbsp; In the monitor, we see no traffic arriving from I-1 to PA-1:25.</P><P></P><P>After modifying this config to put both Internet lines into one single zone, it suddenly works.</P><P></P><P>It seems that zone lookup in several stages only looks at the routing table.&nbsp; Not considering PBF, it deduces the wrong src/dst zone, causing packets mismatching the session.</P><P></P><P>This seems wrong, when true.&nbsp; Is it, and is it?</P></BODY></HTML> Mon, 31 Oct 2011 13:48:55 GMT supporton2it 2011-10-31T13:48:55Z Edinburgh - pbf + zone lookup snafus https://live.paloaltonetworks.com/t5/general-topics/edinburgh-pbf-zone-lookup-snafus/m-p/5867#M4274 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm seeing the following.</P><P></P><P>Consider:</P><P>- two existing Internet lines, put in zones "I-1" and "I-2"</P><P>- there are two L3 interfaces, one in I-1 with address PA-1, one in I-2 with address PA-2</P><P>- the default route goes to a router reachable in I-2</P><P>- there's a PBF policy to forward <EM>everything</EM> to a router in I-1</P><P></P><P>There are two destination NATs:</P><P>- from zone I-1 to address PA-1, tcp port 25, dnat to some internal address A</P><P>- from zone I-2 to address PA-2, tcp port 25, dnat to some internal address A</P><P></P><P>This does not work.&nbsp; In the monitor, we see no traffic arriving from I-1 to PA-1:25.</P><P></P><P>After modifying this config to put both Internet lines into one single zone, it suddenly works.</P><P></P><P>It seems that zone lookup in several stages only looks at the routing table.&nbsp; Not considering PBF, it deduces the wrong src/dst zone, causing packets mismatching the session.</P><P></P><P>This seems wrong, when true.&nbsp; Is it, and is it?</P></BODY></HTML> Mon, 31 Oct 2011 13:48:55 GMT https://live.paloaltonetworks.com/t5/general-topics/edinburgh-pbf-zone-lookup-snafus/m-p/5867#M4274 supporton2it 2011-10-31T13:48:55Z Re: Edinburgh - pbf + zone lookup snafus https://live.paloaltonetworks.com/t5/general-topics/edinburgh-pbf-zone-lookup-snafus/m-p/5868#M4275 <HTML><HEAD></HEAD><BODY><P>Please check the NAT destination policy - if changing the zone allows traffic to suddenly work, was there a policy for the first zone?</P><P>Securtiy Policy is checked first, but implemented after NAT</P><P></P><P>As for the PBF - that is for outbound traffic so your dNAT should not be affected by PBF.</P><P>Hope this helps</P></BODY></HTML> Tue, 01 Nov 2011 06:16:31 GMT https://live.paloaltonetworks.com/t5/general-topics/edinburgh-pbf-zone-lookup-snafus/m-p/5868#M4275 sjamaluddin 2011-11-01T06:16:31Z