This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DMZ network configuration

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DMZ network configuration

Go to solution
sjlee
Not applicable

‎04-15-2012 10:59 PM

We have installed PAN-2050 in my customer site.

It has been deployed with two L2 interface as vmwire.

And we made one L3 vlan interface for secondary IP.

There are 2 IP subnets. (192.168.10.0/24, 192.168.1.0/24)

One(192.168.10.0/24) is for user.

The other(192.168.1.0/24) is for DMZ server.

Both IP subnet set gateway as PAN L3 vlan interface.

And one VR is in PAN-2050 for its gateway.

User subnet which uses NAT policy can use internet and intranet service as well.

Problem is DMZ server couldn't use their service.

There are no security policy.

Maybe my configuration is wrong.

Please let me know what should I add any other configuration.

Preview file
22 KB
Preview file
12 KB
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
sjlee
Not applicable
In response to rmonvon

‎04-16-2012 09:50 PM

The issue has been solved with no tcp-reject-non-syn option.

PA looked it as asymetric routing because syn is L3 flow and syn/ack is L2 flow.

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
rmonvon
L6 Presenter

‎04-16-2012 11:48 AM

Can the servers reach the users? or is the problem just the servers not getting access to the Internet?

0 Likes Likes

Go to solution
sjlee
Not applicable
In response to rmonvon

‎04-16-2012 05:22 PM

yes, server and users can communicat each other.

Server has a problem to access to internet.

0 Likes Likes

Go to solution
rmonvon
L6 Presenter
In response to sjlee

‎04-16-2012 09:23 PM

You should check your NAT rule to ensure the DMZ zone/address is included.

Also, you mentioned there is no security policy.  The implicit deny all rule will block all traffic that does not match a security rule.  You should have a security rule to allow traffic from DMZ to Internet.

Thanks.

0 Likes Likes

Go to solution
sjlee
Not applicable
In response to rmonvon

‎04-16-2012 09:50 PM

The issue has been solved with no tcp-reject-non-syn option.

PA looked it as asymetric routing because syn is L3 flow and syn/ack is L2 flow.

0 Likes Likes

Go to solution
rmonvon
L6 Presenter
In response to sjlee

‎04-17-2012 07:06 AM

glad to hear it.

If this PA device is the only firewall in used, I recommend that you re-enable the 'tcp-reject-non-syn' as soon as possible and not leave it off for long.  You should re-design the network to separate the user and DMZ zones into its own L3 zone, and remove the L2.  This will permit you to enforce 'tcp-reject-non-syn' for security reason.

Thanks.

0 Likes Likes
  • 1 accepted solution
  • 4896 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks