Route to ISP connected to other VR

Reply
Highlighted
L1 Bithead

Route to ISP connected to other VR

Hi all. I have the this situation:

- router VR1 has LAN network 10.0.0.0/16 (zone LAN1) and ISP network X.X.X.128/27 (Zone WAN)

- router VR2 has LAN network and 10.0.0.0/8 (zone LAN2)

- Users in both LAN segments need to access internet

 

I made a static route from VR2 to VR1 like this:

- name: default

- destination: 0.0.0.0/0

- next hop: type = next-vr, value = VR1

 

A NAT policy:

- Source Zone: LAN2

- Dest. zone: WAN

- Dest. interface: any

- Source Address: 10.0.0.0/8

- Dest. Address: any

- Translation type: Dynamic IP

- Translated Address: X.X.X.138/27

 

And a Security rule:

- Source Zone LAN2

- Dest. zone: WAN

- Action: Allow

 

Both security and NAT rules have matches, but traffic to internet from LAN2 does not pass.

DNS queries end with reason "aged-out" and no DNS resolving is made.

TCP connections end with reason "incompete", so I suppose that return packets does not make it to the VR2, but can not figure out how to accomplish that.

 

Any help would be appreciated.

Thank you.

 


Accepted Solutions
Highlighted
L1 Bithead

Re: Route to ISP connected to other VR

I give up on this because I found that there is no way to achieve it with our model (PA820) without wasting two physical ports. PA820 lacks multiple VSys and "External" zone. In our case, using two physical ports connected with a cable makes it possible to route traffic from VR2 to VR1 and apply NAT on egress from VR2. That in turn allows sharing internet connection of VR1 with VR2 users, even when there are overlapping user space on both routers.

View solution in original post


All Replies
Highlighted
L2 Linker

Re: Route to ISP connected to other VR

Hello,

 

 From router VR1 ro VR2 a static route entry should be created for as "10.0.0.0/8 next-hop next VR2"

UP
Highlighted
L1 Bithead

Re: Route to ISP connected to other VR

Well, but if i make static route for 10.0.0.0/8 to VR2, it will work only for IPs from 10.1.0.0 to 10.255.255.255 because the 10.0.0.0 - 10.0.255.255 range is directly connected to VR1. Your solution would work perfect if there where no overlapping subnets. But overlapping is the main reason to add VR2 in first place.

Highlighted
L1 Bithead

Re: Route to ISP connected to other VR

I give up on this because I found that there is no way to achieve it with our model (PA820) without wasting two physical ports. PA820 lacks multiple VSys and "External" zone. In our case, using two physical ports connected with a cable makes it possible to route traffic from VR2 to VR1 and apply NAT on egress from VR2. That in turn allows sharing internet connection of VR1 with VR2 users, even when there are overlapping user space on both routers.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!