PAN FW to DSL Modem

Reply
L3 Networker

PAN FW to DSL Modem

PC(trust zone-172.16.10.98/24)->(eth1/1-172.16.10.100)PAN FW(eth1/2-192.168.1.104/24)->(192.168.1.1/24) DSL modem(untrust)

My vr config: Destination:0.0.0.0/0, Interface:eth1/1, Next hop:192.168.1.1/24

my security policy: trust to untrust -any any

my Nat: no source/dest NAT.

Now i cant accesss internet from my PC(172.16.10.98/24)

Any additional config needed?


Thanks

Highlighted
L7 Applicator

Re: PAN FW to DSL Modem

Hello Javith,

The modem is not having return route, how to reach 172.16.10.0/24 subnet. Hence, i would recommend you to configure a source NAT on PAN FW as mentioned below:

From Zone- trust

To zone- untrust

Source : 172.16.10.0/24

Destination - any

NAT- dynamic-ip and ports ( ethernet 1/2-192.168.1.104)

So, all traffic coming from 172.16.10.0/24 subnet now source IP change to 192.168.1.104 and  for the return traffic, the modem is having route ( directly connected) for 192.168.1.104.

Please let us know the result.

Thanks

L3 Networker

Re: PAN FW to DSL Modem

Hi Hulk,

Thanks for ur reply..But Nothing happened

From the firewall(172.16.10.1-inband access)..I can ping eth1/2-192.168.1.104/24 but i cant ping 192.168.1.1/24 (DSL modem)

From internal pc(172.16.10.98/24) i can ping 172.16.10.1 but i cant ping 192.168.1.X

Please guide

L7 Applicator

Re: PAN FW to DSL Modem

Hello Javith,

Could you please verify the traffic logs ( GUI > Monitor > Logs > Traffic) and see some more formation. GUI --> Traffic log, you may use filters like ( addr.src in IP_ADD_OF_THE_TESTING_PC ) and ( addr.dst in IP_ADD_OF_THE_DESTINATION ) to check the security policy that the traffic hitting. Also, you can check the real time session in the CLI by using 'PAN>show session all filter source IP_ADD_OF_THE_TESTING_PC "

Otherwise, we may ned to enable FLOW BASIC feature to understand the exact reason behind the drop:

> debug dataplane packet-diag clear all

> debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION

> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC

> debug dataplane packet-diag set log feature flow basic

> debug dataplane packet-diag set log feature tcp all

> debug dataplane packet-diag set filter on

> debug dataplane packet-diag set log on


~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse a website ~~~~~~~~~~~~~~~~~~~~~~~~~

> debug dataplane packet-diag set log off

> debug dataplane packet-diag aggregate-logs

> less mp-log pan_packetdiag_log.log

For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!