https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232764#M66776 <P>I'm having an issues with some internal routing I have two virtual router that have statics routes for an internal phone network on a different router in my trusted zone I can ping from computers in my lan but when i try and access any websites or management tools it doesn't work if I add a persistent route on the desktops it start to work but when i remove it it goes back to acting strange<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Drawing2.png" style="width: 786px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16824iB92353FB30537344/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Drawing2.png" alt="Drawing2.png" /></span></P> Thu, 27 Sep 2018 17:10:26 GMT kclarke6 2018-09-27T17:10:26Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232764#M66776 <P>I'm having an issues with some internal routing I have two virtual router that have statics routes for an internal phone network on a different router in my trusted zone I can ping from computers in my lan but when i try and access any websites or management tools it doesn't work if I add a persistent route on the desktops it start to work but when i remove it it goes back to acting strange<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Drawing2.png" style="width: 786px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16824iB92353FB30537344/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Drawing2.png" alt="Drawing2.png" /></span></P> Thu, 27 Sep 2018 17:10:26 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232764#M66776 kclarke6 2018-09-27T17:10:26Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232829#M66792 <P>It's sounds like asymetric routing but I'll need some clarification on things. ICMP will work asymmetric but traffic needing a three-way handshake won't. The firewall needs to see the entire flow or it will drop traffic.</P><P>&nbsp;</P><P>Can you reference the drawing you included to explain what does and doesn't work? I can't tell what's trying to access what.</P> Thu, 27 Sep 2018 21:39:40 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232829#M66792 rmfalconer 2018-09-27T21:39:40Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232830#M66793 <P>I'm trying to get clients from the 192.168.4.x network to access clients in the 192.168.10.x network but it only work when i add persistent routes to the client in the 192.168.4.x network</P> Thu, 27 Sep 2018 21:42:19 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232830#M66793 kclarke6 2018-09-27T21:42:19Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232831#M66794 <P>So when you add the static route on the clients, you point 192.168.10.0 to 192.168.4.8?</P><P>Does the Palo Alto have a route for 192.168.10.0 that points to 192.168.4.8?</P> Thu, 27 Sep 2018 21:48:59 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232831#M66794 rmfalconer 2018-09-27T21:48:59Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232838#M66795 <P>yes my virtual router has a static route of 192.168.10.0/24 to 192.168.4.8</P> Thu, 27 Sep 2018 21:51:39 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232838#M66795 kclarke6 2018-09-27T21:51:39Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232839#M66796 <P>Then the problem is asymmetry.</P><P>Here's an example of traffic flow without the static route on a client:</P><P>192.168.4.100 sends a syn to 192.168.10.100. This goes to the PA, which then sends it to the router at 192.168.4.8</P><P>192.168.10.100 sends a syn-ack to 192.168.4.100. This goes to the router at 192.168.10.1, which then sends this directly to the client without passing through the PA.&nbsp;</P><P>192.168.4.100 sends an ack to 192.168.10.100, which then goes to the PA. The PA did not see the syn-ack so it drops the traffic.&nbsp;</P><P>When ICMP works but tcp traffic fails, it's generally asymmetric routing.</P><P>By adding&nbsp;the static route, all traffic bypasses the PA so it will work.</P><P>&nbsp;</P> Thu, 27 Sep 2018 22:02:39 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232839#M66796 rmfalconer 2018-09-27T22:02:39Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232840#M66797 <P>now how would i go about fixing that generally its better to add routes the the default gateways if i'm not mistaken correct? I looked up asymetric routing and it seems that disabling the protection on the firewall is generally not recommended</P> Thu, 27 Sep 2018 22:10:16 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232840#M66797 kclarke6 2018-09-27T22:10:16Z https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232867#M66801 <P>I would advise against disabling this behavior.&nbsp;</P><P>&nbsp;</P><P>There are&nbsp;only a few&nbsp;choices with what you can do.</P><P>- Put static routes on every machine on 192.168.4.0</P><P>- Make 192.168.4.8 the default gateway for that network, making sure that router has a default route to .1</P><P>- Move 192.168.10.0 to a spot where traffic has to cross the firewall to reach it.&nbsp;</P> Thu, 27 Sep 2018 23:20:30 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-routing-being-blocked/m-p/232867#M66801 rmfalconer 2018-09-27T23:20:30Z