Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Problems with routing two different LANs in the same interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problems with routing two different LANs in the same interface

L1 Bithead

I have this scenario:

 

Genesis Amazonas.png

 

My PA-200 have 2 interfaces: one connected to the Internet Zone, another to the LAN Zone. The LAN interface has 192.168.1.1/24 as its IP address. I have another LAN connected through a router with 192.168.1.254 IP address. 

 

In the PA-200, in the default-router I added the route for 192.168.2.0/24 with gateway 192.168.1.254. 

 

Ping works, traceroute too. But when I try remote desktop, HTTP, telnet (or any TCP) from 192.168.1.100 to 192.168.2.100 (or vice versa), cannot connect and get "time out" message

 

Both 192.168.1.0/24 and 192.168.2.0/24 are in the same zone. What is the cause I cannot make TCP connections between this 2 LANs?

 

I am using PANOS 7.0.3

 

Best Regards to everyone. 

14 REPLIES 14

L5 Sessionator

Asymmetric routing. I think traffic syn is going through PA and syn-ack is coming directy to device and then ack is going to PA and PA is dropping it. 

 

As a work around do a source NAT of the traffic to 1.1 for traffic coming from 1.100 goging to 2.100.

Thanks Pankaj...

 

Is it related? 

 

Best Regards!

Yes but instead of that you can try the workaround suggested by me.

Hi

 

please try configuring U-Turn NAT: How to Configure U-Turn NAT

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

Apart from NAT, if possible, you can have static persistent routes on the hosts in 192.168.1.0/24 segment to route traffic for 192.168.2.0/24 via the router 192.168.1.254.

I am not sure of the purpose of the router but can you also move the router and the segment 192.168.2.0/24 as a new zone on PA-200.

Though technically possible, the firewall should not send traffic back from the same interface where it is received from.

Dear Reaper and Sly_Cooper,

I have a similar issue.  I have two LAN; LAN 1 IP is 10.0.0.0/24 that is going to the internet and it is working fine to the internet.  The interfaces are eth1/1 as the wan eth1/2 as the lan the gateway is 10.0.0.1/24.  From my laptop with ip 10.0.0.69/24 internet is working.  From my laptop I need to connect to the other LAN.  The other LAN is connected to eth1/8 with IP 10.10.10.9/24  this lan gateway is 10.10.10.1/24.  I am using two cables one goes to 10.0.0.0 and the other cable goes to 10.10.10.0.  But I wanted to be able to connect to the 10.10.10.0/24 without have to change the cable every time. How can I creat a local vrouter to connect these two LANs together?

 

Thank you so much

Hi @rossghanim

 

How have you configured your firewall? if you added all interfaces to the same VR, this will work out-of-the-box

 

make sure your NAT rules are set to specific zones (trust to untrust,...) so you don't accidentally NAT inter-lan connections and make sure to set your security policies so the connections are allowed

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Dear reaper,

Thank you so much for your prompt reply.  I wanted to give you all my configuration:

 

The management int IP is 10.0.0.2/24 and the default gateway is 10.0.0.1/24 working 

eth1/1 layer 3 IP 121.127.38.251/29 connect to ISP working

eth1/2 layer 3 IP 10.0.0.1/24 connect through Internet_Gateway

vRouter: Internet_Gateway interfaces eth1/1 and 1/2:

Dest: 0.0.0.0/0

Int eth1/1

next hop IP 121.127.38.249 static route working

Zones:

Internet: layer 3 eth1/1

Users: layer 3 eth1/2

Policies security:

bad-application-block: source zone users to dest zone internet

internet-access: source zone users to dest zone internet

NAT:

outband-nat source users dest internet dest interface eth1/1 any any 

source translation: dynamic-ip-and-port ethernet1/1 121.127.38.251/29 working

 

Now I have another LAN that only I need access to no one else which has our windows server that I need to connect to to do backup and other RDP active directory.  The IP address is 10.10.10.0/24 I confgiured interface eth1/8 layer3 with IP: 10.10.10.9/24

By the way this 10.10.10.0 network is going through Cisco router to the internet which I confgiured already and working fine.

 

All I want is from my laptop 10.0.0.9/24 with gateway 10.0.0.1 to reach the server at 10.10.10.0 and the server is 10.10.10.2

 

I tried few things but is still not working kinldy help me and send me documents where I can confgirue it myself.

 

By the way I already passed the PA ACE certificate.

 

Thank you so much

 

 

 

 

 

Dear Reaper,

When I click on the link for U-Turn NAT it is giving me an error that I do not have permission to open it.


@reaper wrote:

Hi

 

please try configuring U-Turn NAT: How to Configure U-Turn NAT


 

Hi Ross

 

ok I see, the server on 10.10.10.0/24 does _not_ have a route back to the firewall

In that case, you will need to treat your server network as if it is 'the internet' and perform source NAT

 

from 'users' to 'servers' sourcenat 10.10.10.9

this will allow your servers to reply to your connections without needing a static route in their own routing table (route add 10.0.0.0 mask 255.255.255.0 10.10.10.2 -p)

you'll need to add a security policy so only 10.0.0.9 is allowed to connect to 10.10.10.0/24 (or the individual IPs of the servers)

 

 

here's another link to that article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK (your issue does not require U-turn)

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

dear reaper,

Thank you so much for staying with me to help me with this.  The link to the article point me to "How to configure U-Tun NAT" however you also stated that I do not need U-Turn so I just want to make sure this is a correct article.

hi @rossghanim

 

This article relates to the question asked by adiazm

 

Your issue is different and requires regular source NAT

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you so much Reaper

  • 8544 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!