topic Re: Help with inter-subnet routing in General Topics

Help with inter-subnet routing

ckluck — Mon, 20 Jun 2016 12:36:35 GMT

Looking for input on a subnet routing, issue I am having.

So I have let’s say for argument I have two zones, Trust and Untrust.

Interfaces

Int 1/1 - Untrust Internet 192.168.0.1

Int 1/2 - Trust 10.8.1.20

Int 1/3 - Trust 10.26.96.1

I have a virtual router (default)

Default

Destination 0.0.0.0/0

Int 1/1

Net Hop Value 69.168.XX.XX

This is where I am getting confused!

I want the Both (8)(9) be able to talk to each other

Access Name

Destination 10.26.96.0/30

Int 1/3

Next Hop Value 10.26.96.1

No Working, so? Need a little help.

Thanks,

Re: Help with inter-subnet routing

nikoo — Fri, 17 Jun 2016 20:37:48 GMT

Could you please tell me what are addresses (and subnets masks) of two hosts trying to communicate, where are they connected (zones/ports) and what are their default gw settings?

By default hosts are able to talk within the zone (intra-zone traffic) interfaces and are denied for traffic between the zones (inter-zone traffic). And one thing that seems to be not entirely correct - default route (0.0.0.0/0) should point to address within e1/3 range (basically gateway for that interface), because firewall does not know how to reach that 69.168.242.65 at the moment.

Re: Help with inter-subnet routing

ckluck — Mon, 20 Jun 2016 12:36:51 GMT

Zone is trusted

Int 2 - 10.8.1.20 Interface IP (255.255.255.0)

Int 3 - 10.26.96.1 Interface IP (255.255.255.0)

I am using the int address(e)s as each of their own Default Gateways, I am then using a generic route rule 0.0.0.0/0 to route traffic to Int1/1 interface for internet.

Re: Help with inter-subnet routing

Transporter — Mon, 20 Jun 2016 13:03:11 GMT

Hi,

This is directly connected networks to Palo, so they should be talking to each other without any additional static routes or routing. Please confirm you can ping your subinterfaces and make sure that the policy in place and correct traffic permitted.

Thanks,

Re: Help with inter-subnet routing

nikoo — Mon, 20 Jun 2016 13:15:54 GMT

Yes, I tend to agree with Transporter, although the description is still kind of a blurry.

Basically check everything step by step:

Check network settings on each - IP, mask, gw address (Palo Alto subinterface address and host/gw should be from the same subnet);
Test if you can reach gateway from the end host (ping subinterface address, but make sure your subinterface mgmt profile allows pinging);
Make sure your security rules have logging enabled;
Inititate traffic from one end host to another and check Palo Alto logs - you should see what happended with that traffic;
If nothing is visible from there - try capturing packets (https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390) and see if traffic arrives at the Palo Alto at all.

Re: Help with inter-subnet routing

ShannonRowe — Tue, 28 Jun 2016 21:41:40 GMT

Yea can you provide a bit more detail? What is (8) and (9)?

Please provide:

Source and destination subnets you want to talk, and the zones and interfaces associated with each IP subnet.

Gateway address of clients in each source and destination subnet