This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Help with inter-subnet routing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Help with inter-subnet routing

ckluck
L0 Member

‎06-17-2016 01:13 PM - edited ‎06-20-2016 05:36 AM

Looking for input on a subnet routing, issue I am having. 

 

So I have let’s say for argument I have two zones, Trust and Untrust. 

 

Interfaces

Int 1/1 - Untrust Internet 192.168.0.1

Int 1/2 - Trust 10.8.1.20

Int 1/3 - Trust 10.26.96.1

 

I have a virtual router (default)

Default

Destination 0.0.0.0/0

Int 1/1

Net Hop Value 69.168.XX.XX

 

 

This is where I am getting confused!

I want the Both (8)(9) be able to talk to each other

Access Name

Destination  10.26.96.0/30

Int 1/3

Next Hop Value 10.26.96.1

 

No Working, so? Need a little help.

 

Thanks,

0 Likes Likes
5 REPLIES 5

nikoo
L3 Networker

‎06-17-2016 01:37 PM

Could you please tell me what are addresses (and subnets masks) of two hosts trying to communicate, where are they connected (zones/ports) and what are their default gw settings? 

 

By default hosts are able to talk within the zone (intra-zone traffic) interfaces and are denied for traffic between the zones (inter-zone traffic). And one thing that seems to be not entirely correct - default route (0.0.0.0/0) should point to address within e1/3 range (basically gateway for that interface), because firewall does not know how to reach that 69.168.242.65 at the moment.

0 Likes Likes

ckluck
L0 Member
In response to nikoo

‎06-20-2016 05:36 AM - edited ‎06-20-2016 05:36 AM

Zone is trusted

Int 2 - 10.8.1.20 Interface IP (255.255.255.0)

Int 3 - 10.26.96.1 Interface IP (255.255.255.0)

 

I am using the int address(e)s as each of their own Default Gateways, I am then using a generic route rule 0.0.0.0/0 to route traffic to Int1/1 interface for internet. 

0 Likes Likes

Transporter
L3 Networker
In response to ckluck

‎06-20-2016 05:55 AM - edited ‎06-20-2016 06:03 AM

Hi,

 

This is directly connected networks to Palo,  so they should be talking to each other without any additional static routes or routing.  Please confirm you can ping your subinterfaces and make sure that the policy in place and correct traffic permitted.

 

Thanks,

0 Likes Likes

nikoo
L3 Networker
In response to ckluck

‎06-20-2016 06:15 AM

Yes, I tend to agree with Transporter, although the description is still kind of a blurry.

Basically check everything step by step:

  • Check network settings on each - IP, mask, gw address (Palo Alto subinterface address and host/gw should be from the same subnet);
  • Test if you can reach gateway from the end host (ping subinterface address, but make sure your subinterface mgmt profile allows pinging);
  • Make sure your security rules have logging enabled;
  • Inititate traffic from one end host to another and check Palo Alto logs - you should see what happended with that traffic;
  • If nothing is visible from there - try capturing packets (https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390) and see if traffic arrives at the Palo Alto at all.
0 Likes Likes

ShannonRowe
L2 Linker

‎06-28-2016 02:41 PM

Yea can you provide a bit more detail? What is (8) and (9)?

 

Please provide:

 

Source and destination subnets you want to talk, and the zones and interfaces associated with each IP subnet.

Gateway address of clients in each source and destination subnet

0 Likes Likes
  • 3138 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks