06-04-2020 11:56 AM
Hi all. I have the this situation:
- router VR1 has LAN network 10.0.0.0/16 (zone LAN1) and ISP network X.X.X.128/27 (Zone WAN)
- router VR2 has LAN network and 10.0.0.0/8 (zone LAN2)
- Users in both LAN segments need to access internet
I made a static route from VR2 to VR1 like this:
- name: default
- destination: 0.0.0.0/0
- next hop: type = next-vr, value = VR1
A NAT policy:
- Source Zone: LAN2
- Dest. zone: WAN
- Dest. interface: any
- Source Address: 10.0.0.0/8
- Dest. Address: any
- Translation type: Dynamic IP
- Translated Address: X.X.X.138/27
And a Security rule:
- Source Zone LAN2
- Dest. zone: WAN
- Action: Allow
Both security and NAT rules have matches, but traffic to internet from LAN2 does not pass.
DNS queries end with reason "aged-out" and no DNS resolving is made.
TCP connections end with reason "incompete", so I suppose that return packets does not make it to the VR2, but can not figure out how to accomplish that.
Any help would be appreciated.
Thank you.
06-12-2020 12:17 AM - edited 06-12-2020 12:36 AM
I give up on this because I found that there is no way to achieve it with our model (PA820) without wasting two physical ports. PA820 lacks multiple VSys and "External" zone. In our case, using two physical ports connected with a cable makes it possible to route traffic from VR2 to VR1 and apply NAT on egress from VR2. That in turn allows sharing internet connection of VR1 with VR2 users, even when there are overlapping user space on both routers.
06-04-2020 11:39 PM
Hello,
From router VR1 ro VR2 a static route entry should be created for as "10.0.0.0/8 next-hop next VR2"
06-05-2020 09:48 AM
Well, but if i make static route for 10.0.0.0/8 to VR2, it will work only for IPs from 10.1.0.0 to 10.255.255.255 because the 10.0.0.0 - 10.0.255.255 range is directly connected to VR1. Your solution would work perfect if there where no overlapping subnets. But overlapping is the main reason to add VR2 in first place.
06-12-2020 12:17 AM - edited 06-12-2020 12:36 AM
I give up on this because I found that there is no way to achieve it with our model (PA820) without wasting two physical ports. PA820 lacks multiple VSys and "External" zone. In our case, using two physical ports connected with a cable makes it possible to route traffic from VR2 to VR1 and apply NAT on egress from VR2. That in turn allows sharing internet connection of VR1 with VR2 users, even when there are overlapping user space on both routers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
