11-22-2017 11:47 PM
Hi, So im having difficult with a source nat to Internet.. My goal is to route traffic between two vlans in my cisco 2960x switch and let palo handle the rest.. The problem is that the source net arrives to the palo on the wrong interface (well its expected..)
i have zone already configuerd in the palo fw with zones, interface. Ive created a access rule from zone1, with source net 10.20.31.0 and i see in the log that the traffic allows from zone1 with source net 10.20.31.0.. But the NAT rule i cant get to work.. need help 🙂
palo
zone1: 10.20.30.0
zone2: 10.20.31.0
2960x
vlan1: 10.20.30.0
vlan2:10.20.31.0
vlan1-2 routes in cisco 2960x
default route to 10.20.30.2 (palo)
11-23-2017 04:43 AM
If you have no need to control traffic between the zone 1 and zone 2, I see no reason to create the two interfaces and zones on the PA.
From what you describe I assume that the single default route of your switch along with local routing is having all the traffic from both subnets arrrive on the PA via your "zone 1" interface.
You can simply treat both subnets as the same zone and have a route on the PA that pushes the second subnet out the existing "zone 1" interface and delete the zone 2 interface entirely.
Any special treatment of the two subnets could be handled by security policies based simply on the subnet in the same zone just as easily for the external internet access.
11-23-2017 01:23 AM
Can you provide some more details,. like for example what you mean with 'wrong interface' as this is not clear from your explanation
Did you create 2 subinterfaces, each with their own zone/vlan tag?
If you want to route between the 2 vlans adn perform NAT it's probably better to have the firewall perform routing while also taking care of NAT
11-23-2017 04:43 AM
If you have no need to control traffic between the zone 1 and zone 2, I see no reason to create the two interfaces and zones on the PA.
From what you describe I assume that the single default route of your switch along with local routing is having all the traffic from both subnets arrrive on the PA via your "zone 1" interface.
You can simply treat both subnets as the same zone and have a route on the PA that pushes the second subnet out the existing "zone 1" interface and delete the zone 2 interface entirely.
Any special treatment of the two subnets could be handled by security policies based simply on the subnet in the same zone just as easily for the external internet access.
11-23-2017 04:51 AM
palo config (updated)
zone1: 10.20.30.0 subinterface attached with own zone, vlan tag
zone2: 10.20.31.0 subinterface attached with own zone, vlan tag
what i mean with wrong interface is that 10.20.31.0 client traffic hits the "zone1" zone (zone1, source address 10.20.31.0) in the fw because the default route in the switch is 10.20.30.4.. i want the switch to handle routing to have high Throughput. So im struggeling with the NAT.
How should a nat be created for this?
Is it possible to do this, with diffrent zones ?
Or do i need to put both subnet in one zone? (this works, but then i need to change all access rules to check source network 10.20.31 or 10.20.30 to control the traffic.)
Is this good solution? 🙂
11-23-2017 05:04 AM
thanks for the input puklukas, i belive it is better to treat both subnets as the same zone after some testing today. if i trust the traffic in the switch i can trust it in PA and set security rules on the source address. I will test some more.. But for the NAT is it even possible for the PA to handle this? (If a seperate the two subnets to diffrent zones)
11-25-2017 08:12 AM
You pretty much have to have these two interfaces in the same zone. As you note, there is only one default route on the switch so all the traffic out will use that interface to the PA regardless of which subnet the computers are in.
You can then create two nat rules if you want the two subnets to nat to different addresses and that can easily be in the same zone.
I guess I am not understanding which configuration you are having problems making specific that cannot be done with the two subnets and interfaces in the same zone. Can you post an example?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
