About assona

hi, i need a little help to configure a DMZ. here is our situation: interfaces ethernet1/1 - 1.1.1.1 (public - NAT clients) ethernet1/1.1 - 1.1.1.2 (public - NAT DMZ) ethernet1/1.2 - 1.1.1.3 (public) . . ethernet1/6 - 10.10.30.1 (DMZ) . ethernet1/8 - 10.10.20.1 (clients) routing default route 0.0.0.0 -> 1.1.1.1 (works!) NAT clientOut dynamic-ip-and-port ethernet1/1 1.1.1.1 (works) DMZIn dest address translation 10.10.30.20 (works) question what can i do that all DMZ hosts use the interface ethernet1/1.1 for outside (untrust) communication. i tried policy based forwarding, but without success. thanks tom ... View more

hi, i have a problem with using groups (from windows active directory) in security rules. on our windows active directory i have created a new group fw_finance. we use the PAN user-id agent to get the mapping from ip to user. i mapped this group on our PA-500 (user identification - group mapping settings). than i created a new security rule, that all users in this group can use port 3048 outgoing. so far so good. but if the users in this group try to connect the port 3048 outside, they will be dropped. on CLI i see the following: tettrich@fw003> show user ip-user-mapping ip 10.50.2.97 IP address:  10.50.2.97 User:        assona\cheXXX Ident. By:   AD Idle Timeout: 2417s Max. TTL:    2417s Groups that the user belongs to (used in policy) no group is shown! tettrich@fw003> show user group name assona.local\fw_finance group short name: assona.local\fw_finance [1     ] assona.local\cheiXXX [2     ] assona.local\XXXXX [3     ] assona.local\XXXXXXX [4     ] assona.local\XXXXXX [5     ] assona.local\XXXXXXX all users of this group are shown right! and with show user user-IDs i get also the right information, that user cheiXXX is in the group fw_finance. PA-500 with software version 4.1.6 User-ID Agent Version 4.1.4-3 can anyone help me? thanks tom ... View more