I have a fairly straightforward network topology for a firewall at a remote datacenter with one little catch. The PAN's revenue interfaces are an Internet interface, an internal interface, a DMZ interface, and a device management network. The catch is the PAN's MGMT interface lies on the device mangement network for which it is also the default router. For example, it's ethernet1/4 is 10.254.10.1/25 and it's MGMT interface is 10.254.10.4/25.
Oh, and another little catch, this being a remote datacenter, we talk to that device mangement network over a VPN that terminates on the PAN itslef.
So the problem is that I cannot reach the PAN on its MGMT interface or have it talk to our Panorama server over the VPN.
I would prefer to still use the MGMT interface for system management. I would expect there may be others in the same or similar situations. How do you manage and use Panorama with your PAN over a VPN that terminates on the PAN itself? Pointers to vendor docs or your own experiences would be appreciated. Thanks.
It should work, can you check the following:
1) If any of the security policy is not blocking the connection between the Internal zone and the VPN zone
2) If you are not able check it through the Monitor logs, please add a deny rule at the end and check if any logs generated
3) See if you can add the Mac address of the management interface statically to the internal interface
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!