I have this scenario:
My PA-200 have 2 interfaces: one connected to the Internet Zone, another to the LAN Zone. The LAN interface has 192.168.1.1/24 as its IP address. I have another LAN connected through a router with 192.168.1.254 IP address.
In the PA-200, in the default-router I added the route for 192.168.2.0/24 with gateway 192.168.1.254.
Ping works, traceroute too. But when I try remote desktop, HTTP, telnet (or any TCP) from 192.168.1.100 to 192.168.2.100 (or vice versa), cannot connect and get "time out" message
Both 192.168.1.0/24 and 192.168.2.0/24 are in the same zone. What is the cause I cannot make TCP connections between this 2 LANs?
I am using PANOS 7.0.3
Best Regards to everyone.
Asymmetric routing. I think traffic syn is going through PA and syn-ack is coming directy to device and then ack is going to PA and PA is dropping it.
As a work around do a source NAT of the traffic to 1.1 for traffic coming from 1.100 goging to 2.100.
Apart from NAT, if possible, you can have static persistent routes on the hosts in 192.168.1.0/24 segment to route traffic for 192.168.2.0/24 via the router 192.168.1.254.
I am not sure of the purpose of the router but can you also move the router and the segment 192.168.2.0/24 as a new zone on PA-200.
Though technically possible, the firewall should not send traffic back from the same interface where it is received from.
Dear Reaper and Sly_Cooper,
I have a similar issue. I have two LAN; LAN 1 IP is 10.0.0.0/24 that is going to the internet and it is working fine to the internet. The interfaces are eth1/1 as the wan eth1/2 as the lan the gateway is 10.0.0.1/24. From my laptop with ip 10.0.0.69/24 internet is working. From my laptop I need to connect to the other LAN. The other LAN is connected to eth1/8 with IP 10.10.10.9/24 this lan gateway is 10.10.10.1/24. I am using two cables one goes to 10.0.0.0 and the other cable goes to 10.10.10.0. But I wanted to be able to connect to the 10.10.10.0/24 without have to change the cable every time. How can I creat a local vrouter to connect these two LANs together?
Thank you so much
How have you configured your firewall? if you added all interfaces to the same VR, this will work out-of-the-box
make sure your NAT rules are set to specific zones (trust to untrust,...) so you don't accidentally NAT inter-lan connections and make sure to set your security policies so the connections are allowed
Thank you so much for your prompt reply. I wanted to give you all my configuration:
The management int IP is 10.0.0.2/24 and the default gateway is 10.0.0.1/24 working
eth1/1 layer 3 IP 126.96.36.199/29 connect to ISP working
eth1/2 layer 3 IP 10.0.0.1/24 connect through Internet_Gateway
vRouter: Internet_Gateway interfaces eth1/1 and 1/2:
next hop IP 188.8.131.52 static route working
Internet: layer 3 eth1/1
Users: layer 3 eth1/2
bad-application-block: source zone users to dest zone internet
internet-access: source zone users to dest zone internet
outband-nat source users dest internet dest interface eth1/1 any any
source translation: dynamic-ip-and-port ethernet1/1 184.108.40.206/29 working
Now I have another LAN that only I need access to no one else which has our windows server that I need to connect to to do backup and other RDP active directory. The IP address is 10.10.10.0/24 I confgiured interface eth1/8 layer3 with IP: 10.10.10.9/24
By the way this 10.10.10.0 network is going through Cisco router to the internet which I confgiured already and working fine.
All I want is from my laptop 10.0.0.9/24 with gateway 10.0.0.1 to reach the server at 10.10.10.0 and the server is 10.10.10.2
I tried few things but is still not working kinldy help me and send me documents where I can confgirue it myself.
By the way I already passed the PA ACE certificate.
Thank you so much
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!