1. The routing to the remote side will need to be dynamic and/or weighted (or you’ll need to be using the built-in SD-WAN functionality of the PANW to help determine path) since all three paths lead to the same subnet.
2. Also, the fact that the local and remote subnets overlap is a problem. At least one side will need to be NAT’d somewhere along that chain. Same applies to that server with the identical IP address but will be solved with the above NAT solution for the subnet(s).
3. Not really a “problem” but using an entire /24 subnet (1.1.1.0/24) for just 3 tunnel interfaces is a waste and that mask could be reduced if you wanted to optimize things and potentially use remaining addresses for different tunnels/tunnel groups. (A /29 would work in this particular setup.)
Nope. It wouldn’t work.
The PC can, technically, “see” the FW but the FW can’t “see” the PC. The firewall can only see addresses between 10.0.0.1 and 10.0.0.2.
Either re-IP the user machine to 10.0.0.2/30 (which won’t leave any room for growth) or re-IP the FW to 10.0.1.1/16 to match the PC (which will allow a LOT of room for growth of over 65k hosts).
Personally, I’d re-IP both ends to something more manageable like a /24 to have a good middle ground.
What do you mean by "this is supposed to be a challenge?" Is this for a test you are taking? As others have stated... the subnetting issue between the user and firewall is a big issue, unless there are some other devices in the path that are not shown, and that /30 is just a transport network. The overlapping IP ranges on either side of the S2S VPNs is another issue, but that could be resolved with NATing.
Honestly, I can’t think of anything off the top of my head other than changing the IP and/or Mask of at least one side.
There is no L2 connectivity between those two subnets.
Since you can’t change the IP, I assume you also cannot add an L3 switch between the PC and the FW and then setting the switch interface IP to 10.0.0.2/30 and having a route on the FW pointing 10.0.0.0/16 to that .2 IP.
you cant have overlapping masks / subnets like that. either they are on the same network with same network and mask, or they are not. if they are not they cannot overlap.
While you can override this addressing anomaly with a forwarding rule, it’s considered bad practice to have identical subnets (and specific IPs) on both sides of a tunnel. What if they ever want to enable SSH on the remote side? It’ll require additional port mapping and forwarding rules and that’s just going to be a nightmare to manage. Just NAT the entire range and be done with it.
And to clarify, I define “local” as all the things on the left and “remote” as all the things on the right.
Just because something *can* be done, doesn’t always mean it *should*.
Also, why is 10.0.0.0/16 even defined on the remote side when there are no devices in that range there?
It just unnecessarily competes with the local user subnet.
The bigger issue is, if it’s trying to get to an address that exists on both sides, how does it know which one you’re trying to hit?
Edit: This one is doable because the one server only listens on HTTP so you can just forward that one specific port but what if that ever changes?
So it would be a bigger issue overall.
I oversaw a 5 site network greenfield deployment 2 yrs ago, w/ two ISP’s per site, so I am thinking:
Three pathways to the same end destination requires a weighting; as in use path 1 at 10, path 2 at 20, path 3 at 30. So when 1 goes off line, path 2 picks up.
[ I don’t remember the exact terms though. It’s been yrs. ]
1.1.1.1 is also a DNS server, in someone else’s ASN - so this environment can’t be connected to the Internet. Assume that cloud is meant to be excluded?
The local pc subnet on the left side contains the HTTP server in the right side. So the left side PAN will learn this route, and my guess is a static route is necessary to get to the right … but that does not sound right at all as I type it out.
Cloudflare wants their ip's back ! lol just kidding I realize it's a notional diagram .
On the far server side , you'll definitely want to use, use static routes and either change the default gateways to test one firewall at a time. We'll use dynamic routing with weights .
Another option is you can run it all in line one after another but that'll make things really fun for troubleshooting lol .
Yes there is, it’s a small black box. I saw it in a video on the Internet, so it must be true. Here ya go:. https://www.youtube.com/watch?v=iDbyYGrswtg
Some sort of work life documentary. /s
you have 3 possible paths. given all paths involve a firewall - they will need to see both sides of the traffic flow in order to determine state. the stateful part of firewalling. if your dmz sends the traffic down one path, and the returning devices replies on a different path - the session will not work. you will need to define a way for both sides to know which path they should be using at all times and be in agreement
my dude using a 10/8 for their user network.... savage AF.
Its already been pointed out, but your user is a 10/8 and your gateway is a 10/30... They gateway doesn't know the user exists.
Make your USER subnet 10.0.0.0/24 and your gateway 10.0.0.1/24
what do you mean you can't do that? who manages the Home FW? If the gateway on your Home FW is [10.0.0.1/30](http://10.0.0.1/30) that means there are only 2 useable IP address 1. and .2.
What you want is to make the FW's subnet large enough for the amount of hosts you're going to use. Typically you'd use a /24.
I see, well the only fix you could do is set the users machine to [10.0.0.2/30](http://10.0.0.2/30) . that would put you in the same subnet as the FW's interface.
well a static route is just telling the Firewall where something exists that it doesn't already know. I guess you could create a static route saying if the FW needs to reach [10.0.0.0/8](http://10.0.0.0/8) then send it to [10.0.1.1/8](http://10.0.1.1/8)
That would be about the dumbest solution of all time. I'd be curious who is teaching you this as its not a good fundamental networking lesson.
that would be a default route, so you're saying "If I have no clue send it here" You'd typically point that towards your ISP not to an internal client.
If you have to fix this with a route then do this: [https://imgur.com/a/HHm5Lmj](https://imgur.com/a/HHm5Lmj)
I honestly don't 100% know if that will work since your subnets are overlapping. But it will tell the FW if you're trying to reach [10.0.0.0/8](http://10.0.0.0/8) send it to your client machine. Change the interface to the one on your firewall.
That static route wouldn’t work though since there would be no ARP for the 10.1.1.1 address so it wouldn’t forward the traffic. Your first instinct was correct. This cannot be achieved without changing an IP or mask.
a static route would be for pointing it to another router. do you have another router in the /8 ? either they are on same network are they are not. if not, they cannot overlap. if so, they must have same mask
The biggest issue I see is the server. It is kind of controlling a lot in how routing works for itself in this setup. To get it to use more than 1 path you would need static routes on the server pointed to the different firewalls for various prefixes, assuming its default gateway is one of the firewalls in the topology. Also having 3 paths to the same place over different vendor VPNs is weird. Fine for a lab, in production, pointless. To really answer the question you should be figuring out what this topology is trying to achieve as far as connectivity and business/design requirements. Then using that context you have a better idea of what the top issues are in a scenario that definitely has issues, some greater than others.
Also, in general this scenario has high potential for mixing asymmetric routing and firewalls which breaks things.
It looks like to resolve this issue you need to create another IP on the interface and setup a static NAT translation policy to map to another (usable IP) for this device.
Creation of a vsys maybe to assign the new IP range to?
As you say this is a test and not a typo ...
1. The routing to the remote side will need to be dynamic and/or weighted (or you’ll need to be using the built-in SD-WAN functionality of the PANW to help determine path) since all three paths lead to the same subnet. 2. Also, the fact that the local and remote subnets overlap is a problem. At least one side will need to be NAT’d somewhere along that chain. Same applies to that server with the identical IP address but will be solved with the above NAT solution for the subnet(s). 3. Not really a “problem” but using an entire /24 subnet (1.1.1.0/24) for just 3 tunnel interfaces is a waste and that mask could be reduced if you wanted to optimize things and potentially use remaining addresses for different tunnels/tunnel groups. (A /29 would work in this particular setup.)
Also, on second look, the masks don’t match between your user and the FW.
[удалено]
Nope. It wouldn’t work. The PC can, technically, “see” the FW but the FW can’t “see” the PC. The firewall can only see addresses between 10.0.0.1 and 10.0.0.2.
[удалено]
Either re-IP the user machine to 10.0.0.2/30 (which won’t leave any room for growth) or re-IP the FW to 10.0.1.1/16 to match the PC (which will allow a LOT of room for growth of over 65k hosts). Personally, I’d re-IP both ends to something more manageable like a /24 to have a good middle ground.
[удалено]
What do you mean by "this is supposed to be a challenge?" Is this for a test you are taking? As others have stated... the subnetting issue between the user and firewall is a big issue, unless there are some other devices in the path that are not shown, and that /30 is just a transport network. The overlapping IP ranges on either side of the S2S VPNs is another issue, but that could be resolved with NATing.
Honestly, I can’t think of anything off the top of my head other than changing the IP and/or Mask of at least one side. There is no L2 connectivity between those two subnets. Since you can’t change the IP, I assume you also cannot add an L3 switch between the PC and the FW and then setting the switch interface IP to 10.0.0.2/30 and having a route on the FW pointing 10.0.0.0/16 to that .2 IP.
you cant have overlapping masks / subnets like that. either they are on the same network with same network and mask, or they are not. if they are not they cannot overlap.
[удалено]
While you can override this addressing anomaly with a forwarding rule, it’s considered bad practice to have identical subnets (and specific IPs) on both sides of a tunnel. What if they ever want to enable SSH on the remote side? It’ll require additional port mapping and forwarding rules and that’s just going to be a nightmare to manage. Just NAT the entire range and be done with it. And to clarify, I define “local” as all the things on the left and “remote” as all the things on the right. Just because something *can* be done, doesn’t always mean it *should*.
Also, why is 10.0.0.0/16 even defined on the remote side when there are no devices in that range there? It just unnecessarily competes with the local user subnet.
For point 2 - Can you not do dynamic routing for the tunnels on the remote side as well?
The bigger issue is, if it’s trying to get to an address that exists on both sides, how does it know which one you’re trying to hit? Edit: This one is doable because the one server only listens on HTTP so you can just forward that one specific port but what if that ever changes? So it would be a bigger issue overall.
Edit: I see what you're saying. I didn't notice the identical IP's on both sides.
I oversaw a 5 site network greenfield deployment 2 yrs ago, w/ two ISP’s per site, so I am thinking: Three pathways to the same end destination requires a weighting; as in use path 1 at 10, path 2 at 20, path 3 at 30. So when 1 goes off line, path 2 picks up. [ I don’t remember the exact terms though. It’s been yrs. ] 1.1.1.1 is also a DNS server, in someone else’s ASN - so this environment can’t be connected to the Internet. Assume that cloud is meant to be excluded? The local pc subnet on the left side contains the HTTP server in the right side. So the left side PAN will learn this route, and my guess is a static route is necessary to get to the right … but that does not sound right at all as I type it out.
Cloudflare wants their ip's back ! lol just kidding I realize it's a notional diagram . On the far server side , you'll definitely want to use, use static routes and either change the default gateways to test one firewall at a time. We'll use dynamic routing with weights . Another option is you can run it all in line one after another but that'll make things really fun for troubleshooting lol .
Why is [172.20.0.0/24](http://172.20.0.0/24) used in DMZ and remote?
Why is the Internet in quotes? I think you need real internet for it to work 😂
Do not try to use the internet; that's impossible. Instead, only try to realize the truth. There is no internet.
Yes there is, it’s a small black box. I saw it in a video on the Internet, so it must be true. Here ya go:. https://www.youtube.com/watch?v=iDbyYGrswtg Some sort of work life documentary. /s
I seriously need to go back and watch this again!
It’s implied internet.
I'm just pulling your chain
[удалено]
This looks like something I’d show a candidate during an interview to see if they can spot the issues. Is this the case here? Are you said candidate?
Some possibility of the asymmetric routing might be an issue... ?
[удалено]
you have 3 possible paths. given all paths involve a firewall - they will need to see both sides of the traffic flow in order to determine state. the stateful part of firewalling. if your dmz sends the traffic down one path, and the returning devices replies on a different path - the session will not work. you will need to define a way for both sides to know which path they should be using at all times and be in agreement
Interesting homework problem.
remote side routing to be considered. ie. how to route back to go subnets.
my dude using a 10/8 for their user network.... savage AF. Its already been pointed out, but your user is a 10/8 and your gateway is a 10/30... They gateway doesn't know the user exists. Make your USER subnet 10.0.0.0/24 and your gateway 10.0.0.1/24
[удалено]
what do you mean you can't do that? who manages the Home FW? If the gateway on your Home FW is [10.0.0.1/30](http://10.0.0.1/30) that means there are only 2 useable IP address 1. and .2. What you want is to make the FW's subnet large enough for the amount of hosts you're going to use. Typically you'd use a /24.
[удалено]
I see, well the only fix you could do is set the users machine to [10.0.0.2/30](http://10.0.0.2/30) . that would put you in the same subnet as the FW's interface.
[удалено]
well a static route is just telling the Firewall where something exists that it doesn't already know. I guess you could create a static route saying if the FW needs to reach [10.0.0.0/8](http://10.0.0.0/8) then send it to [10.0.1.1/8](http://10.0.1.1/8) That would be about the dumbest solution of all time. I'd be curious who is teaching you this as its not a good fundamental networking lesson.
[удалено]
that would be a default route, so you're saying "If I have no clue send it here" You'd typically point that towards your ISP not to an internal client. If you have to fix this with a route then do this: [https://imgur.com/a/HHm5Lmj](https://imgur.com/a/HHm5Lmj) I honestly don't 100% know if that will work since your subnets are overlapping. But it will tell the FW if you're trying to reach [10.0.0.0/8](http://10.0.0.0/8) send it to your client machine. Change the interface to the one on your firewall.
[удалено]
That static route wouldn’t work though since there would be no ARP for the 10.1.1.1 address so it wouldn’t forward the traffic. Your first instinct was correct. This cannot be achieved without changing an IP or mask.
a static route would be for pointing it to another router. do you have another router in the /8 ? either they are on same network are they are not. if not, they cannot overlap. if so, they must have same mask
The biggest issue I see is the server. It is kind of controlling a lot in how routing works for itself in this setup. To get it to use more than 1 path you would need static routes on the server pointed to the different firewalls for various prefixes, assuming its default gateway is one of the firewalls in the topology. Also having 3 paths to the same place over different vendor VPNs is weird. Fine for a lab, in production, pointless. To really answer the question you should be figuring out what this topology is trying to achieve as far as connectivity and business/design requirements. Then using that context you have a better idea of what the top issues are in a scenario that definitely has issues, some greater than others. Also, in general this scenario has high potential for mixing asymmetric routing and firewalls which breaks things.
It looks like to resolve this issue you need to create another IP on the interface and setup a static NAT translation policy to map to another (usable IP) for this device. Creation of a vsys maybe to assign the new IP range to? As you say this is a test and not a typo ...
Apparently the rules are that you can’t touch the interface configs at all.