11-09-2023 03:45 AM - edited 11-16-2023 02:57 AM
Hallo Everyone,
I am using PA-220
let’s call PaloAlto-Firewall “X”
Office Firewall “Y”
Other firewall “Z”
Firewall X has 8 Interfaces.
Interface 1/1: has the IP-Addressee 192.168.5.254. we assigned this Interface to a Zone Called "DMZ". When this firewall and this Interfaces want to communicate with our office Network it send the traffic to firewall Y with the IP: 192.168.5.1 "Works fine as intended"
Interface 1/2: This interface is physically connected another firewall Z and this interface has the IP: 192.168.9.127, this Interface is also assign to a Zone named “InterConnectedNetwork”. The firewall IP of Z 192.168.9.1.
The firewall Z has three V-LAN 192.168.11/13/15. All the participant of this V-LAN can talk to each through firewall Z other without any problem. Internal routing is configured as like following: Any Traffic come to firewall Z but it’s intend to forwarded to its V-LAN-participant. Firewall Z forward this traffic to the right machine.
Now let’s say a machine with IP 10.50.5.20 traying to talk to one of V-LAN of firewall Z though the firewall Y (have static route to firewall X, it’s work fine) and DMZ of firewall X. Since i do not want to expose the IP from the V-LAN in firewall Z. I created a S-NAT in Palo alto. It's work fine. The traffic in this case looks like following: (V-LAN-Participant: 192.168.13.19) send packet to its gateway 192.168.13.1--> From this point firewall Z forward this packet through the paloalto interface 1/5 192.168.9.127 --> than the DMZ of firewall X send the packet to firewall Y 192.168.5.1-- > Firewall Y send the Packet to 10.50.5.20.
Again the packet flow: 192.168.13.19 -> 192.168.13.1 -> 192.168.9.127-> 192.168.5.1-> 10.50.5.20, so Outbound NAT work perfectly
What is not working is Inbound. I have tried everything that i could, but it is not working. By Inbound the traffic reach the DMZ of Palo alto but it does not forward further. The traffic stop in following point: 10.50.5.20 -> 192.168.5.1-> 192.168.5.254
what i already tried:
Of Course there is always the possibility that i implemented all this in a wrong way.
Can anyone help? Any kind of suggestion regarding to this problem would be nice!
Best regards,
Rahaman
11-09-2023 08:39 AM
Hi @MRahaman ,
Can you share a screenshot of your DNAT and security policy? If you don't feel comfortable sharing here, you can send a PM to myself.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
