Hello all, I have a (hopefully) simple problem I can't seem to figure out.
I have recently created a new DMZ zone on my PA for guest users, but when a guest tries to access the internet, the traffic is showing as sourcing from the trust zone instead of the DMZ zone. A trace from the guest user makes it to the PA, then dies. I have the policy from DMZ to untrust configured, but it never hits it, it's always using the trust to untrust policy.
I have a feeling I am missing something easy...
Any help will be much appreciated!
Solved! Go to Solution.
Is the subnet with the guest traffic assigned to an interface on the PA? Is that interface set with the guest zone?
In the traffic log, what rule is it hitting?
Thanks for the quick reply rmfalconer!
Yes, the subinterface on the PA has a 172.16.0.251/21 assigned to it. The subinterface is assigned to the DMZ zone.
Mot sure if this matters, but the actual interface itself the subinterfaces belong to is assigned to the trust zone.
In the traffic log, it's hitting a trust zone to untrust zone policy, it shows it's sourcing from the subinterface assigned to the trust zone rather than the DMZ to untrust policy.
Yep, the switchport is configured and tagged correctly, and the tagging is set on the PA as well.
From a guest laptop, my trace hits the gateway (172.16.0.250) IP assigned to my gateway router, then the next hop is the 10.x.x.x trust IP on the PA.
From the PA, I can ping my guest laptop sourcing from the DMZ subinterface.
Just trying to get a picture for the traffic flow.
How is the routing set on your gateway? Is there a default that points to the trust interface of the PA?
Is 172.16.0.250 a subinterface on the gateway router or a separate physical interface? Does this interface connect to the same switch where the PA connects?
Would the flow look something like this:
You are right, I have a layer 3 Brocade switch as my gateway router, it's default route is pointing to the trust subinterface on the PA.
The 172.16.0.250 is the IP of the VE on the gateway router.
Your flow looks correct, so the guest laptop on vlan 172, hits the ve172 on the gateway router, then takes the default route to the PA.
Once the traffic hits that L3 boundary and routes with the default, it will lose the vlan tagging info so it won't get to the correct subinterface on the PA.
I think the easiest solution to this is to move the gateway for the guest vlan off the router and onto the PA. The PA can provide DHCP so the guest network would be self-contained, with the PA controlling all access.
Another option that might work is to move the guest vlan to a separate vrf on the router and control the next hop through the separate routing table.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!