no incoming traffic
-
The sense of doing binat is because my client doesn't allow me to arrive with my lan /24 and asks me to translate the address to a /29. So, as my lan is /24, I only get an ip from the /29 network and translate it to his destination network.
-
This post is deleted! -
@moisesdasilvadeoliveira
Ok. But this allows either bidirectional communication to a /29 part or your network or a unidirectional communication from your whole network using a single BINAT address. -
My Lan 172.31.10.0/24
network that my client wants me to get there 10.188.176.248/29.
Destination network 10.216.0.0/27
As my lan is /24
I get an ip from his /29 (10.188.176.248/29), so I use 10.188.176.249, but I can use 10.188.176.250 or the next -
@moisesdasilvadeoliveira
Select "network" at BINAT and enter the network address which is 10.188.176.248 and /29 for the mask. -
The scenario is as follows.
I have a lan that is 172.31.10.0/24, I have several servers on this lan. My client will not have access to it, only a zabbix-proxy within that lan.
I need to connect to several servers of my client, we have several tunnels, some for a /27 network, others for a specific host /32
with that he asks me to arrive with the subnet /29.I still have a second subnet /24, this one comes from my openvpn, that is, I have a vpn s2s, which all my employees will access to support the customer, and for that they used openvpn.
-
@viragomann said in no incoming traffic:
Select "network" at BINAT and enter the network address which is 10.188.176.248 and /29 for the mask.
M
1 Reply Last reply less than a minute ago ReplyI can't do this because my lan is /24 and my snat(binat) /29
-
I have this same scenario with other clients, working in the same way, but it is not a palo alto, I have cisco asa, edegerouter, all of them working with the same scenario.
Using my lan /24
they asking me to arrive with snat(binat) /29
arriving on any network within my client..
Everything functional.
But in Paloalto this is not happening. -
@moisesdasilvadeoliveira said in no incoming traffic:
I have a lan that is 172.31.10.0/24, I have several servers on this lan. My client will not have access to it, only a zabbix-proxy within that lan.
I need to connect to several servers of my client, we have several tunnels, some for a /27 network, others for a specific host /32Maybe you can realize this with 2 phase two tunnels. One for the connection to the Zabbix with its single address as "local network" and a single address out of the /29 you got.
And a second p2 with your LAN as local network and another single BINAT address of the /29.
However, I'm afraid that the Palo Alto doesn't accept this setup. Some firewalls do.I can't do this because my lan is /24 and my snat(binat) /29
I mentioned your options in former posts already.
I have this same scenario with other clients, working in the same way,
A BINAT with some to many? So again the question, how would the remote site be able to access a certain IP on your site??
-
Hello @viragomann
Thanks for the responses and attempts to help. We found the problem. On the client side he needed to enable nat-t. After adjustment, communication worked normally. Thank you very much