Traffic showing from wrong zone

Reply
L2 Linker

Traffic showing from wrong zone

Hello all, I have a (hopefully) simple problem I can't seem to figure out.

I have recently created a new DMZ zone on my PA for guest users, but when a guest tries to access the internet, the traffic is showing as sourcing from the trust zone instead of the DMZ zone. A trace from the guest user makes it to the PA, then dies. I have the policy from DMZ to untrust configured, but it never hits it, it's always using the trust to untrust policy.

 

I have a feeling I am missing something easy...

 

Any help will be much appreciated!

L4 Transporter

Re: Traffic showing from wrong zone

Is the subnet with the guest traffic assigned to an interface on the PA? Is that interface set with the guest zone?

In the traffic log, what rule is it hitting?

L2 Linker

Re: Traffic showing from wrong zone

Thanks for the quick reply rmfalconer!

 

Yes, the subinterface on the PA has a 172.16.0.251/21 assigned to it. The subinterface is assigned to the DMZ zone.

Mot sure if this matters, but the actual interface itself the subinterfaces belong to is assigned to the trust zone.

 

In the traffic log, it's hitting a trust zone to untrust zone policy, it shows it's sourcing from the subinterface assigned to the trust zone rather than the DMZ to untrust policy.

L4 Transporter

Re: Traffic showing from wrong zone

Is the switchport connected to the PA a dot1q tagging interface?

Do you have the tag definition set correctly on the PA subinterface?

L6 Presenter

Re: Traffic showing from wrong zone

what is the ip/mask of the actual interface

L2 Linker

Re: Traffic showing from wrong zone

The actual interface doesnt have an IP address assigned, the subinterface for the guest users has an IP of 172.16.0.251/21.

L2 Linker

Re: Traffic showing from wrong zone

Yep, the switchport is configured and tagged correctly, and the tagging is set on the PA as well.

 

From a guest laptop, my trace hits the gateway (172.16.0.250) IP assigned to my gateway router, then the next hop is the 10.x.x.x trust IP on the PA.

From the PA, I can ping my guest laptop sourcing from the DMZ subinterface.

L4 Transporter

Re: Traffic showing from wrong zone

Just trying to get a picture for the traffic flow. 

How is the routing set on your gateway? Is there a default that points to the trust interface of the PA?

Is 172.16.0.250 a subinterface on the gateway router or a separate physical interface? Does this interface connect to the same switch where the PA connects?

 

Would the flow look something like this:

Client--[guest vlan]-->Switch1--[dot1q]-->Gateway--[dot1q]-->Switch1--[dot1q]-->PA

 

 

L2 Linker

Re: Traffic showing from wrong zone

You are right, I have a layer 3 Brocade switch as my gateway router, it's default route is pointing to the trust subinterface on the PA.

The 172.16.0.250 is the IP of the VE on the gateway router.

 

Your flow looks correct, so the guest laptop on vlan 172, hits the ve172 on the gateway router, then takes the default route to the PA.

L4 Transporter

Re: Traffic showing from wrong zone

Once the traffic hits that L3 boundary and routes with the default, it will lose the vlan tagging info so it won't get to the correct subinterface on the PA.

I think the easiest solution to this is to move the gateway for the guest vlan off the router and onto the PA. The PA can provide DHCP so the guest network would be self-contained, with the PA controlling all access.

Another option that might work is to move the guest vlan to a separate vrf on the router and control the next hop through the separate routing table. 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!