05-29-2014 12:36 AM
PC(trust zone-172.16.10.98/24)->(eth1/1-172.16.10.100)PAN FW(eth1/2-192.168.1.104/24)->(192.168.1.1/24) DSL modem(untrust)
My vr config: Destination:0.0.0.0/0, Interface:eth1/1, Next hop:192.168.1.1/24
my security policy: trust to untrust -any any
my Nat: no source/dest NAT.
Now i cant accesss internet from my PC(172.16.10.98/24)
Any additional config needed?
Thanks
05-29-2014 01:04 AM
Hello Javith,
The modem is not having return route, how to reach 172.16.10.0/24 subnet. Hence, i would recommend you to configure a source NAT on PAN FW as mentioned below:
From Zone- trust
To zone- untrust
Source : 172.16.10.0/24
Destination - any
NAT- dynamic-ip and ports ( ethernet 1/2-192.168.1.104)
So, all traffic coming from 172.16.10.0/24 subnet now source IP change to 192.168.1.104 and for the return traffic, the modem is having route ( directly connected) for 192.168.1.104.
Please let us know the result.
Thanks
05-29-2014 01:04 AM
Hello Javith,
The modem is not having return route, how to reach 172.16.10.0/24 subnet. Hence, i would recommend you to configure a source NAT on PAN FW as mentioned below:
From Zone- trust
To zone- untrust
Source : 172.16.10.0/24
Destination - any
NAT- dynamic-ip and ports ( ethernet 1/2-192.168.1.104)
So, all traffic coming from 172.16.10.0/24 subnet now source IP change to 192.168.1.104 and for the return traffic, the modem is having route ( directly connected) for 192.168.1.104.
Please let us know the result.
Thanks
05-29-2014 02:11 AM
Hi Hulk,
Thanks for ur reply..But Nothing happened
From the firewall(172.16.10.1-inband access)..I can ping eth1/2-192.168.1.104/24 but i cant ping 192.168.1.1/24 (DSL modem)
From internal pc(172.16.10.98/24) i can ping 172.16.10.1 but i cant ping 192.168.1.X
Please guide
05-29-2014 07:17 AM
Hello Javith,
Could you please verify the traffic logs ( GUI > Monitor > Logs > Traffic) and see some more formation. GUI --> Traffic log, you may use filters like ( addr.src in IP_ADD_OF_THE_TESTING_PC ) and ( addr.dst in IP_ADD_OF_THE_DESTINATION ) to check the security policy that the traffic hitting. Also, you can check the real time session in the CLI by using 'PAN>show session all filter source IP_ADD_OF_THE_TESTING_PC "
Otherwise, we may ned to enable FLOW BASIC feature to understand the exact reason behind the drop:
> debug dataplane packet-diag clear all
> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION
> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination IP_ADD_OF_THE_TESTING_PC
> debug dataplane packet-diag set log feature flow basic
> debug dataplane packet-diag set log feature tcp all
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set log on
~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse a website ~~~~~~~~~~~~~~~~~~~~~~~~~
> debug dataplane packet-diag set log off
> debug dataplane packet-diag aggregate-logs
> less mp-log pan_packetdiag_log.log
For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
