Issue creating multiple DMZs with layer3 interfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Issue creating multiple DMZs with layer3 interfaces

L0 Member

I have an issue with getting 2 DMZs working in layer 3 mode on Palo Alto version 3.1.7.

I have set up my first DMZ and can communicate perfectly with the internal network. When I setup a second dmz (using completely different interface ports), but exactly the same configuration I cannot communicate from the internal network to the new dmz. Funnily I can communicate perfectly from the new DMZ to the internal but not the other way around. I have enabled policies both ways and if I ping I can see the traffic being allowed both ways.

I have double checked the routing and that seems fine as well.

I have come to th conclusion there must be some simple configuration to solve this that I am missing :smileyconfused:or there is a bug in the Palo Alto software.

 

Also since I upgraded to version 3.1.7 I get the following error when I do a commit

device: Invalid address value 'NaN'

Anyone had a similar issue

4 REPLIES 4

L6 Presenter

Hi,

The warning is a bug in 3.1.7 and Developers are working on a fix. Are you saying that pings indicate 'allow' on the traffic log but dmz to internal pings are not getting a response?

Thanks for this. I am saying that pings indicate 'allow' on the traffic log but internal to dmz pings are not getting a response?.

I got 2 dmz's working in the last hour by adjusting native vlan on the Cisco switch to the specific vlan and changing every interface to trunking and allowing vlan 1 as well as the vlan I wanted. I am not comfortable that I have actually cracked it yet so any more information would be good.

Are both of the DMZ zones on the same Cisco switch? Your could implement router on a stick with the Palo Alto by creating sub interfaces with the VLAN tag.

I would also make sure that the new DMZ interface is in the routing table.

Cheers,

Yes that is exactly what I changed to.   Sub interfaces.   They are both on the same switch so obviously I do  not want to enable routing on the switch but perform the routing through the PA.  I think I am working ok now  but will fully test next week.

Thanks for your suggestions

  • 2642 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!