Palo Alto Networks Knowledgebase: Unable to reach server's public IP address

Unable to reach server's public IP address

2436
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:39 PM
Content Release Deployment
Resolution

Issue

  • Unable to reach the server's public IP address.

Details

  • a second public range is configured on interface e1/2 while physical host is located on e1/3
  • NAT rules are configured from untrust to untrust.

Cause

  • The server's public IP address is in the same address space as the IP address of another interface on the Palo Alto Networks firewall.
    Example:
    e1/1, zone untrust, public IP 1.1.1.1/24
    e1/2, zone DMZ-Public, IP 2.2.2.2/24
    e1/3, zone DMZ-Private, IP 192.168.1.1/24 (server is connected to e1/3, public IP 2.2.2.66/24, private IP 192.168.1.2/24)
    NAT policy set for "untrust zone to untrust zone".
  • The firewall sees the ingress traffic's destination IP address (2.2.2.66) as destined for the "DMZ-Public" zone.
  • This is because a route lookup returns DMZ-Public as the destination zone for 2.2.2.0/24.

 

However, the policy specifies that traffic from "untrust to untrust" is allowed.  Therefore, the traffic is dropped.

Resolution

  • Edit the NAT policy.
  • Change the destination zone to "DMZ-Public".
    Changing the destination zone from "untrust" to "DMZ-Public" causes the ingress traffic to properly match source and destination zone, based on route lookups

 

owner: jdavis



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1YCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language