- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
07-18-2013 08:07 AM
Hello,
simple question:
Does PA devices send / support icmp redirect ?
Use case:
PA device is the default GW for local LAN subnet (A).
PA device has a route to an another subnet (B). The next hop is on his LAN Interface.
Local Clients devices has only a default GW to PA LAN Interface.
From my understanding and some tests:
PA device does not send ICMP redirect to Local Clients when they try to reach another subnet (B).
icmp echo / reply are OK but other type of communications fall with strange behavior on monitor. Traffic form local subnet are seen from his outside interface (not the lan) with destination NAT etc... Traffic seems to "loop" on the PA device.
If The local Client have a static route for B subnet everything is ok.
Thanks in advance.
Best regards.
Guillaume
07-18-2013 09:36 AM
Hi,
Exact, no icmp redirect in the palo.
But if yo just want your laptop be able to access to subnet B, two cases:
Subnet B is connected to another Palo's interface then just need security rle for allowing traffic from Zone-Sub-A to Zone-Sub-B
Subnet B is not connected, then need same thing plus a route in your Vrouter.
Make sense ?
V.
07-18-2013 11:47 PM
Thanks you for your time.
In fact Subnet B is a remote location.
Connectivity to branch offices (like B) pass through a router provided by an ISP which has an interface on local subnet A (the next hop used on the vr of the PA).
With static route on the host on subnet A it works but for admin purpose it is not optimal.
Guillaume
07-19-2013 02:51 AM
Static route not on the host but on the Palo 🙂
Or if you've got time, configured dynamic routing like OSPF 🙂
V.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!