no incoming traffic
-
Dear,
I have a closed vpn tunnel with my client, I only see outgoing traffic, incoming traffic is not seen.
My client uses paloalto. Is there any incompatibility between the firewalls? -
@moisesdasilvadeoliveira
There is no incoming traffic possible if you set a single BINAT address. This is by design.What's the sense of the BINAT?
Does the remote site only accept access from this address? -
@viragomann Thanks for your response,
The sense is unidirectional, my client gives me a /29, as my home network is a /24, I need to get an ip from his /29.
I can put any ip of the /29 that he gives me. -
@viragomann
How could I make a bidirectional binat within ipsec?
Or dnat? -
@moisesdasilvadeoliveira
BINAT is network address translation. The question was, what is the sense of doing BINAT at all.
This is nothing to do with network size.BINAT is used to masquerade you network with another address.
Anyway when using it the BINAT network has to have the same size as your local network to enable access to your site.
If this is not the case which address should be used on the remote site to access a device in your LAN?So if you have only a tunnel for a /29 subnet, only a /29 part of your LAN can be reached from the remote site.
So you can state a /29 BINAT network and a /29 LAN, which is part of your /24 subnet.
E.g. with
BINAT network: 10.188.176.248/29
Local network: 10.216.0.16/29
you can access 10.216.0.16 - 10.216.0.23 as its best. -
The sense of doing binat is because my client doesn't allow me to arrive with my lan /24 and asks me to translate the address to a /29. So, as my lan is /24, I only get an ip from the /29 network and translate it to his destination network.
-
This post is deleted! -
@moisesdasilvadeoliveira
Ok. But this allows either bidirectional communication to a /29 part or your network or a unidirectional communication from your whole network using a single BINAT address. -
My Lan 172.31.10.0/24
network that my client wants me to get there 10.188.176.248/29.
Destination network 10.216.0.0/27
As my lan is /24
I get an ip from his /29 (10.188.176.248/29), so I use 10.188.176.249, but I can use 10.188.176.250 or the next -
@moisesdasilvadeoliveira
Select "network" at BINAT and enter the network address which is 10.188.176.248 and /29 for the mask. -
The scenario is as follows.
I have a lan that is 172.31.10.0/24, I have several servers on this lan. My client will not have access to it, only a zabbix-proxy within that lan.
I need to connect to several servers of my client, we have several tunnels, some for a /27 network, others for a specific host /32
with that he asks me to arrive with the subnet /29.I still have a second subnet /24, this one comes from my openvpn, that is, I have a vpn s2s, which all my employees will access to support the customer, and for that they used openvpn.
-
@viragomann said in no incoming traffic:
Select "network" at BINAT and enter the network address which is 10.188.176.248 and /29 for the mask.
M
1 Reply Last reply less than a minute ago ReplyI can't do this because my lan is /24 and my snat(binat) /29
-
I have this same scenario with other clients, working in the same way, but it is not a palo alto, I have cisco asa, edegerouter, all of them working with the same scenario.
Using my lan /24
they asking me to arrive with snat(binat) /29
arriving on any network within my client..
Everything functional.
But in Paloalto this is not happening. -
@moisesdasilvadeoliveira said in no incoming traffic:
I have a lan that is 172.31.10.0/24, I have several servers on this lan. My client will not have access to it, only a zabbix-proxy within that lan.
I need to connect to several servers of my client, we have several tunnels, some for a /27 network, others for a specific host /32Maybe you can realize this with 2 phase two tunnels. One for the connection to the Zabbix with its single address as "local network" and a single address out of the /29 you got.
And a second p2 with your LAN as local network and another single BINAT address of the /29.
However, I'm afraid that the Palo Alto doesn't accept this setup. Some firewalls do.I can't do this because my lan is /24 and my snat(binat) /29
I mentioned your options in former posts already.
I have this same scenario with other clients, working in the same way,
A BINAT with some to many? So again the question, how would the remote site be able to access a certain IP on your site??
-
Hello @viragomann
Thanks for the responses and attempts to help. We found the problem. On the client side he needed to enable nat-t. After adjustment, communication worked normally. Thank you very much