Communication within different Trust Zones

Reply
Highlighted
L1 Bithead

Communication within different Trust Zones

Hi,

I am working with PAN-500 3.0.9.

I have configured 2 trust zones and 2 untrusted zones.

l3-trust IP 192.168.0.254/22; l3-untrust 200.78.x.x

l3-trust2 IP 192.168.10.254/24; l3-untrust 201.161.x.x

I need that users from l3-trust get access to servers located at l3-trust2.

I have this policy:

From l3-trust2 to l3-trust source address 192.168.10.0/24 destination address 192.168.0.10-192.168.0.25 Action Allow.

From l3-trust to l3-trust2 source address 192.168.0.10-192.168.0.25 destination address 192.168.10.0/24 Action Allow.

Right now, this is not working.

I hope you could help me.

Thanks.

Highlighted
L4 Transporter

Re: Communication within different Trust Zones

Hello there,

you sceneario looks very straight forward.

I would verify the following:

1. the l3-trust and l3-trust2 interfaces are on the same virtual router on the Paloalto device

2. Are there any NAT rules that any of the traffic between these two zones could be catching.....for example do you have a NAT rule that says source zone: l3-trust and destination zone any....

3. For now you can make sure that the application and the service are both set "any"......this of course is only while you are troubleshooting to illiminate the possibility of you not allowing the applications you are expecting to pass traffic (...like ping)

4. You can set the source and destination addresses to any also....this is to make sure that you did not make mistake while typing in the source and destination address or while creating the address objects.

5. Verify the routing in your network. Basically make sure that the network that when the network 192.168.0.254 tries to route to 192.168.10.x, it is pointed to the Paloalto device....check this going the other way also. Please be dilligent is checking the routing as this is often the root of issues like this.

If you are still having issues after checking the above then please call into support and we can aid in isolating the source of this issue.

thanks!

Stephen

Highlighted
Not applicable

Re: Communication within different Trust Zones

Hi,

The similar problem we also facing...both the trust and trust2 communication is happening if i put NAT rule (likey source zone trust and destination zone trust2 and destination interface should be the trust interface) then its working...though some time ICMP is not working between two trust zones where as FTP and remote desktop is working..the same as been tested with different OS and different model of PAN.suggest me to fix this problem

Highlighted
Not applicable

Re: Communication within different Trust Zones

Hi

I am working with PAN-3020 Ver 5.0

I have configured 2 trust zones and 2 untrusted zones with two VRs configured as default routes.

l3-trust IP 192.168.0.254/22; l3-untrust 200.78.x.x  ,   VR1 (NAT, configured as default route)

l3-trust2 IP 192.168.10.254/24; l3-untrust2 201.161.x.x , VR2 (NAT, configured as default route)

I need that users from l3-trust get access to servers located at l3-trust2.

Could you please help how to implement on this scenario?

Thanks in advance.

Highlighted
L6 Presenter

Re: Communication within different Trust Zones

Hi znlwin,

VR1 you have to add route 192.168.10.0/24 next VR VR2

VR2 you have to add route 192.168.0.0./24 next VR  VR1

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!