This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

icmp redirect support

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

icmp redirect support

glebon
Not applicable

‎07-18-2013 08:07 AM

Hello,

simple question:

Does PA devices send / support icmp redirect ?

Use case:

PA device is the default GW for local LAN subnet (A).

PA device has a route to an another subnet (B). The next hop is on his LAN Interface.

Local Clients devices has only a default GW to PA LAN Interface.

From my understanding and some tests:

PA device does not send ICMP redirect to Local Clients when they try to reach another subnet (B).

icmp echo / reply are OK but other type of communications fall with strange behavior on monitor. Traffic form local subnet are seen from his outside interface (not the lan) with destination NAT etc... Traffic seems to "loop" on the PA device.

If The local Client have a static route for B subnet everything is ok.

Thanks in advance.

Best regards.

Guillaume

1 person had this problem.
Labels:
0 Likes Likes
3 REPLIES 3

VinceM
L5 Sessionator

‎07-18-2013 09:36 AM

Hi,

Exact, no icmp redirect in the palo.

But if yo just want your laptop be able to access to subnet B, two cases:

     Subnet B is connected to another Palo's interface then just need security rle for allowing traffic from Zone-Sub-A to Zone-Sub-B

     Subnet B is not connected, then need same thing plus a route in your Vrouter.

Make sense ?

V.

glebon
Not applicable
In response to VinceM

‎07-18-2013 11:47 PM

Thanks you for your time.

In fact Subnet B is a remote location.

Connectivity to branch offices (like B) pass through a router provided by an ISP which has an interface on local subnet A (the next hop used on the vr of the PA).

With static route on the host on subnet A it works but for admin purpose it is not optimal.

Guillaume

0 Likes Likes

VinceM
L5 Sessionator
In response to glebon

‎07-19-2013 02:51 AM

Static route not on the host but on the Palo 🙂

Or if you've got time, configured dynamic routing like OSPF 🙂

V.

0 Likes Likes
  • 5852 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks