12-21-2011 05:02 AM
Hello,
I need to install a PA200 for a internet breakout. Since i can't change the IP Subnet, I tough to change the default gw to the PA and use the PA as a router for traffic to the WAN (same subnet). But my problem is now that traffic comming from the wan to the client is comming from 192.168.1.1 -> to the pc 192.168.1.50 -> to the PA 192.168.1.5 -> to the WAN Router 192.168.1.1 dosn't work since the firewall dosn't allow that.
Isn't there a way to use icmp redirect so the PA200 is only working as a router for that kind of traffic?
12-21-2011 10:45 PM
Excatly,
I tough I could just let the PA Reroute the Traffic, but then I found out that incomming Traffic (from WAN) begins to loop since the PA dosn't do a icmp redirect. Isn't there a Trick? Or I add a router or try to use the network switch as default GW.
Question is would it work like this?
Guess not I tough with Virtual Wire I can't route Traffic?
12-22-2011 06:26 AM
WAN=Wide Area Network from the Company
Internet=Local Breakout for http/https/vpn...
12-22-2011 06:38 AM
I wonder if Policy Based Forwarding would fit the bill here:
It's kind of the same principle. Your have two "ISPs" but you want some of the traffic to go one way, and some of the traffic the other way and be transparent to the client.
You might have to reach out to support on this one. I'm sure there's way to do it, either by PBF or changing your routing table around.
01-16-2012 02:36 AM
PBF would only work if both gateways are behind the firewall.
Well let me think about that....i can't connect the same ip subnet to different ports or?
01-20-2012 12:35 PM
Why do you need to use 2 routers? Cant you consolidate the WAN and INET connections on the PA200?
I really am having a difficult time understanding this deployment. If you have two routers involved you need to make sure the routing table is correct to send internal traffic to the WAN and anything else to the INET. You may have some NAT considerations as well.
Steve Krall
01-20-2012 02:40 PM
I dont get the drawings.
Could you provide us with a drawing of how it looks right now (without the PAN) and which network is used on which interface (along with which ip each interface on each box have)?
If we assume you have a setup similar to:
WAN (192.168.0.0/24) [192.168.0.1] <WAN-ROUTER> [192.168.1.254] (192.168.1.0/24 (L2-SWITCH)) [192.168.1.5] <CLIENT>
Then you should be fine with just plugin your PA200 on the switch between WAN-ROUTER and CLIENT and give the PAN unit following settings:
192.168.1.253/24, defgw [IP of ISP-ROUTER]
Then in your clients you setup a routing table similar to:
0.0.0.0/0 nexthop 192.168.1.253
192.168.0.0/24 nexthop 192.168.1.254
192.168.1.0/24 directly attached
and voila... no need for icmp redirects and shit like that 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
