This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Object address with Security rule stops VM from allocating IP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Object address with Security rule stops VM from allocating IP

JRussell
L3 Networker

‎06-24-2014 02:04 AM

I have a Esxi Server with a particular VM machine on it. If I reboot that machine it does not give it the configured IP address that I have set it for. If I try go in and manually tell it to use the IP address it is assigned it tells me that this IP address is already in use.

If I go and change the Object IP address in Palo Alto Firewall then it allows me to set this IP address. I can then set the Object IP back after the VM has taken that IP which will then get all the NAT and security rules working but it is annoying that every time we reboot that VM it seems to happen.

I have tried putting in a static ARP entry for this, but still no joy.

Any suggestions?

0 Likes Likes
4 REPLIES 4

ajbool
L3 Networker

‎06-24-2014 02:11 AM

Sounds like the Palo Alto box is doing proxy-arp for your IP.

Do you have a NAT rule where the IP in question is the original destination address within the rule?

If so, is the source Zone of the NAT rule set to something that does NOT include the Zone where the server is?  (I think I have my logic the right way round on this one!)

0 Likes Likes

JRussell
L3 Networker
In response to ajbool

‎06-24-2014 02:38 AM

You are correct sir.

I have 2 NAT rules for this server

1 that says all external traffic going to a particular IP (the one that the A record points to on our ISP DNS), using port 49610( which I have created as a service for this app) gets destination address translated to the server internal IP on port 443.

2nd rule which says all internal traffic on that service/port and that server, gets destination address translated to the server internal IP and 443.

This is because when that server sends out links to the files within, it adds that 49610 port, and the rule was made in mind with making the links work both externally and internally without having to get internal people to remove the port.

0 Likes Likes

ajbool
L3 Networker
In response to JRussell

‎06-24-2014 02:48 AM

Looks like the second rule that is causing your problems.  Are the internal clients in the same Zone as your server?  What are the Source and Dest Zones in your 2nd NAT rule?

0 Likes Likes

JRussell
L3 Networker
In response to ajbool

‎06-24-2014 03:20 AM

There were no zones set. Let me try changing it so that the Source zones are different from the destination zone and see how that works.

0 Likes Likes
  • 2199 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks