06-14-2010 02:25 PM
Hi Guys,
I have an issue.
I have a PAN-500, I am using 3 interfaces: et1/4 is L3-Untrust, et1/3 is L3-Trust and et1/2 is L3-Trust.
ET1/4 has the public IP.
ET1/3 = 192.168.0.254/22
ET1/2 has 8 sub interfaces, each subinterface has its own IP addressing and belongs to differnet VLANs.
et1/2.1 192.168.9.0/26 TAG 30
et1/2.2 192.168.9.64/26 TAG 31
et1/2.3 192.168.4.0/28 TAG 40
et1/2.4 192.168.4.16/28 TAG 41
et1/2.5 192.168.5.0/27 TAG 50
et1/2.6 192.168.6.0/27 TAG 60
et1/2.7 192.168.7.0/26 TAG 70
et1/2.8 192.168.8.0/28 TAG 80
The Virtual Router is as follows:
| default | 0.0.0.0/0 | ip | 200.78.237.126 | none | 1 | |||
| wifiomd | 10.0.1.0/24 | ip | 192.168.0.30 | none | 1 | |||
| wifibbdo | 10.0.2.0/24 | ip | 192.168.0.30 | none | 1 | |||
| wifisistemas | 10.0.0.0/24 | ip | 192.168.0.51 | none | 1 | |||
| vpnaccess | 172.16.0.0/24 | tunnel | none | none | none | |||
| sistemas | 192.168.8.0/28 | ethernet1/2.80 | none | none | none | |||
| cuentas | 192.168.9.0/26 | ethernet1/2.30 | none | none | none | |||
| creativo | 192.168.9.64/26 | ethernet1/2.31 | none | none | none | |||
| planning | 192.168.4.0/28 | ethernet1/2.40 | none | none | none | |||
| trafico | 192.168.5.0/27 | ethernet1/2.50 | none | none | none | |||
| finanzas | 192.168.6.0/27 | ethernet1/2.60 | none | none | none | |||
| proximity | 192.168.7.0/26 | ethernet1/2.70 | none | none | none | |||
| produccion | 192.168.4.16/28 | ethernet1/2.41 | none | none | none | |||
| servers | 192.168.0.0/22 | ethernet1/3 | none | none | none |
The problem here is that users on VLANs are unable to communicate with the network 192.168.0.0/22.
What can I do in order to solve this issue.
Thanks in advance.
06-15-2010 03:51 PM
Hello,
both interfaces ethernet 2 and ethernet 3 are in the same zone and we do allow intra zone traffic. So the traffic should be allowed UNLESS you have a deny all rule in your policies. If you have the deny all rule then that includes intra zone traffic.
Try creating a Trust to Trust rule to allow the traffic and move it to the top of your rule set. If your traffic starts flowing then this was probably the issue.
06-16-2010 12:31 PM
I have created a Trust to Trust rule, allowing all traffic. I have just moved to the top, but I am unable to communicate from VLAN users to Network 192.168.0.0/22, and viceversa.
Is anything else, that I should do.
Thanks in advance.
06-16-2010 12:40 PM
Are you sure that the traffic is being routed to the Paloalto device?
Are there session in the Paloalto device when try to communicate to users in the 192.168.0.0/22 subnet?
There are numerous issues that could cause this, at this point it will probably be easier to call into support to aid you in troubleshooting this.
thank you,
Stephen
06-16-2010 01:45 PM
Hello Stephen,
The traffic is being routed to the PAN-500.
In fact, PAN-500 is the default gateway for all the VALNs and the Network 192.168.0.0/22.
I am able to see the traffic from Trust to Untrust, and from Trust to Trust.
Users in VLANs can access Internet.
Thanks in advance.
JM Barrera
06-16-2010 01:53 PM
Do you have sessions where the destination address is with this subnet: 192.168.0.0/.22?
If so are the sessions allowed?
Is the device that you are trying to reach in 192.168.0.0/22 network able to ping the interface on the paloalto device?
Can you call into support in order that we can take a look?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
