This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Issue creating multiple DMZs with layer3 interfaces

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issue creating multiple DMZs with layer3 interfaces

ailfionn
L0 Member

‎02-11-2011 09:00 AM

I have an issue with getting 2 DMZs working in layer 3 mode on Palo Alto version 3.1.7.

I have set up my first DMZ and can communicate perfectly with the internal network. When I setup a second dmz (using completely different interface ports), but exactly the same configuration I cannot communicate from the internal network to the new dmz. Funnily I can communicate perfectly from the new DMZ to the internal but not the other way around. I have enabled policies both ways and if I ping I can see the traffic being allowed both ways.

I have double checked the routing and that seems fine as well.

I have come to th conclusion there must be some simple configuration to solve this that I am missing :smileyconfused:or there is a bug in the Palo Alto software.

 

Also since I upgraded to version 3.1.7 I get the following error when I do a commit

device: Invalid address value 'NaN'

Anyone had a similar issue

0 Likes Likes
4 REPLIES 4

gswcowboy
L6 Presenter

‎02-11-2011 10:02 AM

Hi,

The warning is a bug in 3.1.7 and Developers are working on a fix. Are you saying that pings indicate 'allow' on the traffic log but dmz to internal pings are not getting a response?

ailfionn
L0 Member
In response to gswcowboy

‎02-11-2011 10:42 AM

Thanks for this. I am saying that pings indicate 'allow' on the traffic log but internal to dmz pings are not getting a response?.

I got 2 dmz's working in the last hour by adjusting native vlan on the Cisco switch to the specific vlan and changing every interface to trunking and allowing vlan 1 as well as the vlan I wanted. I am not comfortable that I have actually cracked it yet so any more information would be good.

0 Likes Likes

mharding
L4 Transporter
In response to ailfionn

‎02-11-2011 11:15 AM

Are both of the DMZ zones on the same Cisco switch? Your could implement router on a stick with the Palo Alto by creating sub interfaces with the VLAN tag.

I would also make sure that the new DMZ interface is in the routing table.

0 Likes Likes

ailfionn
L0 Member
In response to mharding

‎02-11-2011 11:34 AM

Cheers,

Yes that is exactly what I changed to.   Sub interfaces.   They are both on the same switch so obviously I do  not want to enable routing on the switch but perform the routing through the PA.  I think I am working ok now  but will fully test next week.

Thanks for your suggestions

0 Likes Likes
  • 2974 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks