This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

NAT traffic from DMZ to another zone

MRahaman
L0 Member

‎11-09-2023 03:45 AM - edited ‎11-16-2023 02:57 AM

Hallo Everyone,

I am using PA-220

let’s call PaloAlto-Firewall “X”

Office Firewall “Y”

Other firewall “Z”

Firewall X has 8 Interfaces.

Interface 1/1: has the IP-Addressee 192.168.5.254. we assigned this Interface to a Zone Called "DMZ". When this firewall and this Interfaces want to communicate with our office Network it send the traffic to firewall Y with the IP: 192.168.5.1 "Works fine as intended"

Interface 1/2: This interface is physically connected another firewall Z and this interface has the IP: 192.168.9.127, this Interface is also assign to a Zone named “InterConnectedNetwork”. The firewall IP of Z 192.168.9.1.

The firewall Z has three V-LAN 192.168.11/13/15. All the participant of this V-LAN can talk to each through firewall Z other without any problem. Internal routing is configured as like following: Any Traffic come to firewall Z but it’s intend to forwarded to its V-LAN-participant. Firewall Z forward this traffic to the right machine.

Now let’s say a machine with IP 10.50.5.20 traying to talk to one of V-LAN of firewall Z though the firewall Y (have static route to firewall X, it’s work fine) and DMZ of firewall X. Since i do not want to expose the IP from the V-LAN in firewall Z. I created a S-NAT in Palo alto. It's work fine. The traffic in this case looks like following: (V-LAN-Participant: 192.168.13.19) send packet to its gateway 192.168.13.1--> From this point firewall Z forward this packet through the paloalto interface 1/5 192.168.9.127 --> than the DMZ of firewall X send the packet to firewall Y 192.168.5.1-- > Firewall Y send the Packet to 10.50.5.20.

Again the packet flow: 192.168.13.19 -> 192.168.13.1 -> 192.168.9.127-> 192.168.5.1-> 10.50.5.20, so Outbound NAT work perfectly

What is not working is Inbound. I have tried everything that i could, but it is not working. By Inbound the traffic reach the DMZ of Palo alto but it does not forward further. The traffic stop in following point: 10.50.5.20 -> 192.168.5.1-> 192.168.5.254

what i already tried:

  1. Static Routing Tabell
  2. D-NAT (along with a security poilicy)
  3. U-NAT (along with a security poilicy)
  4. Policy Based Forwarding.

Of Course there is always the possibility that i implemented all this in a wrong way.

Can anyone help? Any kind of suggestion regarding to this problem would be nice!

Best regards,

Rahaman

1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks