1. I have 2 physical interfaces on which i have configured multiple sub-interfaces.
say for eg eth1/7 - eth1/7.1, eth1/7.2, eth1/7.3
eth 1/8 - eth1/8.20, eth1/8.21, eth1/8.22.
and my both physical and subinterfaces are in same zone - say trust zone.
Now i have an urgent requirement and i cannot addup new physical interface so can i add a new subinterface in either 1/7 or 1/8 eg eth1/7.5 or eth1/8.25 and can i add it to a new zone ?? and create policies or Inbound nat policies on that interface.
Little confused if that will work. Appreciate if someonce can guide few points on this.
I am creating IPsec tunnel with AWS CGW, so it ask to create 2 tunnels, and it says to create PBF, NAT-no nat, tunnel monitor, i have created all that but still both of phases are still down, can someone share me documents i can refer to create tunnel with aws cgw.
Yes you were right, phase 1 and config was incorrect, also found something strange, customer configured at aws end - Phase 1 as group 5 , sha1, and aes-128-cbc but in the configuration file which is downloaded from aws end shows different config, that is why we configured different parameters on PA end.
now both tunnels are up.
and fir the 1st query - I have question.
lets say i have eth1/7 with multiple subinterfaces
1/7.1, 1/7.2, 1/7.3 - DMz_1 zone
1/7.4 Dmz_2 zone
for DMZ 2 zone my actual traffic is coming from tunnel -aws - AWS zone.
now i need to DNAT that traffic on private pool IP’s
how can i create DNT policy for this scenario??
Source Zone - AWS Zone
Destination Zone - Aws Zone
Source Address- Peer subnets
Destination addr - my dmz SUB-interface IP - 10.240.x.x
Destination interface - tunnel.9
Services - any
IP - PRivate ip - 10.34.x.x
translated port - ---- any ---
Src zone - AWS ZOne
src addr - peer subnets
destzone - DMZ ZONE
dest addr - 10.34.x.x
Service - https , http
Action - allow
Will this be correct if my traffic is coming from aws tunnel ??
Please guide if m wrong in any part .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!