This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

L3 gateway Interface traffic relaying

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

L3 gateway Interface traffic relaying

Tician
L3 Networker

‎02-23-2015 02:36 AM

Hello All,

just want to share one thought about problem which I faced with. One of L3 interface on PAN 500 was configured as default gateway (192.168.0.1/24 sec zone "trusted") for one network. On that trusted network I have two servers, one terminal 192.168.0.10/24 and VPN 192.168.0.15/24. VPN clients with IP pool 192.168.50.0/24 are making connection's to terminal server. Response going through gateway interface 192.168.0.1, where vrouter has route 192.168.50.0/24 via 192.168.0.15/24. Problem begins in moment when terminal server had to make connection to VPN client, but it didn't. To cope with problem only solution is to add static route to terminal server 192.168.50.0/24 via 192.168.0.15/24, and then working as well (bypassing default gateway).

If considering that traffic by default were permitted within same security zone, I'm unable to understand why traffic cannot be relayed even I make explicit policy, which permits all traffic within trusted zone.

From perspective of securing traffic, there is no needed any filtering, just traffic relaying within same subnet and same sec zone. Before this setup we have some simple linux firewall with ip tables, where this working, without sec rule, just routing and relaying.....



Tician

Labels:
0 Likes Likes
2 REPLIES 2

bfarely
L3 Networker

‎02-24-2015 10:03 PM

Hi Tician,

First of all I would recommend opening a case with tech support. There are a few things that could go wrong here so I would start with the traffic logs. If you have an explicit rule in place there should be logging for the session to verify it is allowed and the log details will confirm if packets are being sent and received. Assuming everything looks ok here try running a packet capture with filters for both directions (.10 to .15 and vice versa) and all 4 stages set. The drop stage will show if anything is being dropped out and counters may give the reason for any drops. This doc should help with setting up the filters and checking the counters.

Packet Capture, Debug Flow-basic and Counter Commands

regards,

Brandon

0 Likes Likes

ITNetworksTeam
L0 Member

‎02-25-2015 05:18 AM

Sounds like you need a route for 192.168.50.0/24 on the firewall.

0 Likes Likes
  • 1920 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks