Static Route to directly connected Subnet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Static Route to directly connected Subnet

Hi All, I am working with a project, where the firewall (PA-3020) is connected to a DMZ via its sub-interface.

 

I have two physical Copper interfaces in an aggregated group AE2 with LACP enabled, and then multiple sub-interfaces under that The DMZ sub-interface (ae2.4010) has a subnet of 192.168.66.0/24; however, I am unable to reach the backend servers on the same subnet, unless I add a null static route in the virtual router i.e 192.168.66.0/24 --> Interface: ae2.4010 --> Next Hop: None.

 

That's quite unusual, because all the other sub-interfaces have no issues, and I don't need to add any null routes to the VR. Does anybody have any clue what the problem might be in this instance?

 

Thank you

3 accepted solutions

Accepted Solutions

This is not unusual this sounds very strange...
Sorry for the question, but are you sure that there is no typo in the IP address of that subinterface? And did you enter the IP address maybe without a subnetmask or with the wrong one?
If you checked these things, what PAN-OS version is installed and could you may be share a screenshot of the actual routing table or at least check also there how it does look with and without this stub-route?

View solution in original post

Hi @Remo
I did a modification on my sub-interface just now, for testing purposes.
Instead of adding only the IP address object with no mask in included the subnet mask /24. After that I was able to reach the servers on the same subnet.
It is a weird issue, because the IP address I had configured although not having the mask specified, was part of the same range as all the other backend servers; hence, I assumed it should've worked.
I was running the PAN-OS 7.1.7 before fixing the mask, and then upgraded to PAN-OS 7.1.10 now because I thought it could be a bug, but I was wrong. Bottom line, it works, but you have always to specify the actual mask to the address object.

 

Thank you

View solution in original post

I'm surprised the PA does not automatically add the /32 mask to the interface if you plug in just an ip address.  This would make the issue more obvious to observe.

 

glad you have it figured out.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

5 REPLIES 5

L7 Applicator

Is there an ip address in that subnet configured on the sub interface?

This should create a direct route automatically.

 

I am assuming the PA is layer 3 for this setup is that right?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi @pulukas Yes the firewall sub-interface ae2.4010 has an IP address assigned. That was my expectation based on all the implementations I have done, I never had to add a static route to a subnet to which the firewall is directly connected. The firewall is in full Layer 3. All other sub-interfaces, are working just fine and I did not have to add static routes for those.

This is not unusual this sounds very strange...
Sorry for the question, but are you sure that there is no typo in the IP address of that subinterface? And did you enter the IP address maybe without a subnetmask or with the wrong one?
If you checked these things, what PAN-OS version is installed and could you may be share a screenshot of the actual routing table or at least check also there how it does look with and without this stub-route?

Hi @Remo
I did a modification on my sub-interface just now, for testing purposes.
Instead of adding only the IP address object with no mask in included the subnet mask /24. After that I was able to reach the servers on the same subnet.
It is a weird issue, because the IP address I had configured although not having the mask specified, was part of the same range as all the other backend servers; hence, I assumed it should've worked.
I was running the PAN-OS 7.1.7 before fixing the mask, and then upgraded to PAN-OS 7.1.10 now because I thought it could be a bug, but I was wrong. Bottom line, it works, but you have always to specify the actual mask to the address object.

 

Thank you

I'm surprised the PA does not automatically add the /32 mask to the interface if you plug in just an ip address.  This would make the issue more obvious to observe.

 

glad you have it figured out.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3 accepted solutions
  • 6543 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!