Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-28-2016 07:19 AM
I have this scenario:
My PA-200 have 2 interfaces: one connected to the Internet Zone, another to the LAN Zone. The LAN interface has 192.168.1.1/24 as its IP address. I have another LAN connected through a router with 192.168.1.254 IP address.
In the PA-200, in the default-router I added the route for 192.168.2.0/24 with gateway 192.168.1.254.
Ping works, traceroute too. But when I try remote desktop, HTTP, telnet (or any TCP) from 192.168.1.100 to 192.168.2.100 (or vice versa), cannot connect and get "time out" message
Both 192.168.1.0/24 and 192.168.2.0/24 are in the same zone. What is the cause I cannot make TCP connections between this 2 LANs?
I am using PANOS 7.0.3
Best Regards to everyone.
04-28-2016 10:08 AM
Asymmetric routing. I think traffic syn is going through PA and syn-ack is coming directy to device and then ack is going to PA and PA is dropping it.
As a work around do a source NAT of the traffic to 1.1 for traffic coming from 1.100 goging to 2.100.
04-28-2016 10:17 AM
Thanks Pankaj...
Is it (https://live.paloaltonetworks.com/t5/Configuration-Articles/SYN-ACK-Issues-with-Asymmetric-Routing/t... related?
Best Regards!
04-28-2016 04:16 PM
Yes but instead of that you can try the workaround suggested by me.
04-29-2016 03:17 AM
Hi
please try configuring U-Turn NAT: How to Configure U-Turn NAT
04-29-2016 11:09 AM
Apart from NAT, if possible, you can have static persistent routes on the hosts in 192.168.1.0/24 segment to route traffic for 192.168.2.0/24 via the router 192.168.1.254.
I am not sure of the purpose of the router but can you also move the router and the segment 192.168.2.0/24 as a new zone on PA-200.
Though technically possible, the firewall should not send traffic back from the same interface where it is received from.
01-01-2019 10:17 PM
Dear Reaper and Sly_Cooper,
I have a similar issue. I have two LAN; LAN 1 IP is 10.0.0.0/24 that is going to the internet and it is working fine to the internet. The interfaces are eth1/1 as the wan eth1/2 as the lan the gateway is 10.0.0.1/24. From my laptop with ip 10.0.0.69/24 internet is working. From my laptop I need to connect to the other LAN. The other LAN is connected to eth1/8 with IP 10.10.10.9/24 this lan gateway is 10.10.10.1/24. I am using two cables one goes to 10.0.0.0 and the other cable goes to 10.10.10.0. But I wanted to be able to connect to the 10.10.10.0/24 without have to change the cable every time. How can I creat a local vrouter to connect these two LANs together?
Thank you so much
01-02-2019 03:03 AM - edited 01-02-2019 03:06 AM
Hi @rossghanim
How have you configured your firewall? if you added all interfaces to the same VR, this will work out-of-the-box
make sure your NAT rules are set to specific zones (trust to untrust,...) so you don't accidentally NAT inter-lan connections and make sure to set your security policies so the connections are allowed
01-02-2019 09:57 PM
Dear reaper,
Thank you so much for your prompt reply. I wanted to give you all my configuration:
The management int IP is 10.0.0.2/24 and the default gateway is 10.0.0.1/24 working
eth1/1 layer 3 IP 121.127.38.251/29 connect to ISP working
eth1/2 layer 3 IP 10.0.0.1/24 connect through Internet_Gateway
vRouter: Internet_Gateway interfaces eth1/1 and 1/2:
Dest: 0.0.0.0/0
Int eth1/1
next hop IP 121.127.38.249 static route working
Zones:
Internet: layer 3 eth1/1
Users: layer 3 eth1/2
Policies security:
bad-application-block: source zone users to dest zone internet
internet-access: source zone users to dest zone internet
NAT:
outband-nat source users dest internet dest interface eth1/1 any any
source translation: dynamic-ip-and-port ethernet1/1 121.127.38.251/29 working
Now I have another LAN that only I need access to no one else which has our windows server that I need to connect to to do backup and other RDP active directory. The IP address is 10.10.10.0/24 I confgiured interface eth1/8 layer3 with IP: 10.10.10.9/24
By the way this 10.10.10.0 network is going through Cisco router to the internet which I confgiured already and working fine.
All I want is from my laptop 10.0.0.9/24 with gateway 10.0.0.1 to reach the server at 10.10.10.0 and the server is 10.10.10.2
I tried few things but is still not working kinldy help me and send me documents where I can confgirue it myself.
By the way I already passed the PA ACE certificate.
Thank you so much
01-02-2019 09:59 PM
Dear Reaper,
When I click on the link for U-Turn NAT it is giving me an error that I do not have permission to open it.
@reaper wrote:Hi
please try configuring U-Turn NAT: How to Configure U-Turn NAT
01-03-2019 01:21 AM
Hi Ross
ok I see, the server on 10.10.10.0/24 does _not_ have a route back to the firewall
In that case, you will need to treat your server network as if it is 'the internet' and perform source NAT
from 'users' to 'servers' sourcenat 10.10.10.9
this will allow your servers to reply to your connections without needing a static route in their own routing table (route add 10.0.0.0 mask 255.255.255.0 10.10.10.2 -p)
you'll need to add a security policy so only 10.0.0.9 is allowed to connect to 10.10.10.0/24 (or the individual IPs of the servers)
here's another link to that article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK (your issue does not require U-turn)
01-03-2019 01:37 AM
dear reaper,
Thank you so much for staying with me to help me with this. The link to the article point me to "How to configure U-Tun NAT" however you also stated that I do not need U-Turn so I just want to make sure this is a correct article.
01-03-2019 01:43 AM
hi @rossghanim
This article relates to the question asked by adiazm
Your issue is different and requires regular source NAT
01-04-2019 10:14 PM
Thank you so much Reaper
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
