03-10-2011 01:36 PM
I'm having issues with internet access on different subnets. I have attached a diagram on my network. The Server VLAN has Internet access but the rest somehow are not managing, I'm seeing the traffic in the logs but nothing seems to be working.
I have tried various settings but somehow I'm missing it. Does anyone have any thoughts?
03-11-2011 02:55 AM
Are you terminating each VLAN on the Palo Alto box (having the gw address on the Palo) or do you have a link-network between the Palo "internal" interface and the switch.
03-11-2011 03:03 AM
The Palo Alto is connection on port 36 on the Layer 3 Switch, that port is on the VLAN 100.
Basically all the users have their gateway to the Layer 3 switch. The Layer 3 switch then forward all requests to 192.168.200.254 which is the interface of the Palo Alto.
Only users on the VLAN100 are managing to access the internet which is on the same subnet of the PA
I used to manage on my old firewall through some rules (these were done by some company).
Hope I made myself clear. Cheers
03-11-2011 04:03 AM
OK, great. So what do you see in the log-files from the networks that doesn't work? Possible to post an output from the log?
I take it you have checked your routing and it's correct?
A Palo route Example:
Route_internal 192.168.203.0/24 gateway 192.168.200.1 (.1 beeing the Switch)
03-11-2011 09:44 AM
There could be a couple reasons for this, depending on how your PAN is setup.
(these are not necessarily in any order)
1) Do you have the appropriate user subnets listed in the correct security zones?
2) Are the correct security zones applied to the correct interfaces?
3) Do you have multiple virtual routers or just one?
4) If only one virtual router, you should have the static routes defining each of the user vlans AND have the gateway of those networks point to the L3 switch.
5) NAT rules?
The way I built our PAN config is similiar to our checkpoint configs. We start out with creating network objects of all the networks that we support. Then create logical groups with those networks. Then apply the groups to the right security zones. Use the logical groups for NAT rules as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!