I put a squid proxy in the DMZ zone with address 192.168.1.2
it is connected to the PAN - 192.168.1.1
and I trust zone to the untrust lan and another to the internet
and I can not ping the proxy from the lan
interface pan to lan 10.155.10.10
my ip address 10.155.10.11
i dont know the route that i would make it
Please correct me if I am drawing the wrong topology
Proxy (220.127.116.11)------DMZ-----(192.168.1.1) PAN ( 10.155.10.10) -------LAN-------(10.155.10.11) Client
I am expecting there is no nat configured in between and the Client has a Gateway as 10.155.10.10 i.e. PAN's trust interface
You need to check the following:
1) There should be security policy allowing the connection to go through from LAN to DMZ
2) Check if you can ping the gateway (i.e. LAN interface) from the client
3) Check if you can ping the proxy server from the PAN, use the following command on CLI:
PAN> ping source 192.168.1.1 host 18.104.22.168
4) If you are note getting any response, you should check the gateway or route on the proxy server, you can also try to ping 192.168.1.1 from the proxy server
5) Check the arp entries on both the interface
PAN> show arp ethernet1/x
Let us know the results.
Some additional comments on previous points:
1) As a test (if possible) you could setup a security rule that acts just on src/dstzone such as:
and then (when you identified what was incorrect and fixed it) limit it down to correct appid/serviceport.
2) If the LAN interface is on the PAN you need to setup a management profile aswell that will allow the LAN interface to be pinged at.
3) I think the following will work better 😉
ping source 192.168.1.1 host 192.168.1.2
4) In my experience this is quite common (given the symptomes presented).
Verify that the client have the LAN-interface of the PAN as defgw (10.155.10.10) and also that the proxy have the DMZ-interface of the PAN as defgw (192.168.1.1). Also verify again that you have correct ip-addresses AND netmasks on both proxy and client (so it doesnt say 22.214.171.124 instead of 192.168.1.2 or such).
Easiest is to just run "netstat -rn" to see current routing table.
Since both proxy and client are "directly attached" you wont need additional routing rules in the PAN box. However if you have linknets then you would need to add additional routes in "virtual router" in the PAN.
5) Also check the arp entries on the proxy and client itself such as "arp -a" or "arp -an".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!