About cmateam

At my place of employment we've implemented a couple PAN-2020s in HA and have defined about 6 to 8 networks 1 attached to 1 physical port in a L3 configuration. We have cables running to a switch that each are untagged with different vLAN ID's (LAN = Default_VLAN, DMZ = DMZ_VLAN, etc). The vLAN'ing is done on the switch (HP ProCurve 2810-48G) and other ports are tagged and represented to VMware hosts. PAN --> HP 2810-48G ==< VMware HOSTs I have a few open ports, but am needing to create about 3 more networks to use and have quickly run out of physical ports. For those of you who have done this, or any PAN techs helping out here, what is the best practice for implementing vLANS in this type of environment.  I've seen some example of L2 configurations as well as L3 and I am a bit confused on what is best. What is the best way to make a handful of physical ports aggregate  on the firewall to present those vLANs to the switches, and then to the VMware hosts without doing that over just one cable? Do I need to configure the vLANs on the switch as well and tag those ports? I realize these are a lot of questions - unfortunately the project was escalated a few months ago and I did not get sufficient time to design this out, so it's made it hard to design well, and I have some opportunity to implement changes before this environment goes 100% into production. So I don't have quite the liberty to test this out. Am I on the right track with this document? Thanks for all your help! ... View more

Hi, Has anyone setup two PAN FW point to point that connect with the same subnets on each side.  The reason for the same subnets is that we have our production network behind FW-A and a co-location network that mirrors our production network behind FW-B.  This is for disaster recovery and quick turn on of machines in the event of a disaster, etc. I have the tunnel setup between two FWs, but I am having difficulty in getting NAT & Routing working appropriately to communicate with each other.  Unfortunately I am not at work to post screen shots of my setup at the moment, but wanted to see if someone could give some insight as to how to set this up.  I have followed the document here: - but have not had any success.  I am trying to NAT a pool of addresses to another pool on the other side. For example: Our Trust network is a 192.168.0.0/16 - I want to NAT these addresses through 10.168.0.0/16 to the other side of the tunnel and reverse the NAT to be directed to the same 192.168.0.0/16 address. I've tried assigning IP address ranges to each tunnel, and using the NAT rule to NAT the 192.168.0.0/16 destined for 10.168.0.0/16 to a 10.250.0.0/16 translated at the source.  I think this all works, but my routes don't seem to work, and don't know what the route would be.  I tried both the 10.168.0.0/16 and the 10.250.0.0/16 destination to the tunnel interface.  Neither seem to get it working. I tried same tunnel designators (tunnel.10) for example on the same side as well as the 10.250.0.0/16 and a 10.251.0.0/15 on both local tunnel address (FW-A), as well as on the far end tunnel (FW-B) I can post more tomorrow, but NATing this way isn't really explained in the above document, and there really is no explanation for the 10.2.1.0/24 network in the same document, so I am unsure how that all fits into this. Also I don't understand the ike-to-gw route rule either.  I tried adding this with no luck. Can anyone help?  I'm somewhat in need of getting this project setup and am completely confused.  I wish there was a clearer, more up to date document regarding this. Surely others are doing this as well? Thanks in advance. ... View more