Client VM --> ASA --> PANOS --> Internet
For outbound general Internet access.
I tried to pass a packet through two NVAs: first, an ASA, then a PANOS. This doesn't seem supported in Azure and I think it's because they are doing uRPF, though I can't find any documentation on this theory.
If I NAT the client IP on the ASA, it works just fine.
Routing is good. I double double triple checked. Even connected the client directly to the PANOS to be sure and it works.
I tried having dedicated subnets for the interconnect (ic1 and ic2), and tried just a single interconnect subnet. Same result.
Even if UDR is setup right, and routing tables on the appliances, I think uRPF is the issue since the client IP is routed through a different interface on the vnet gateway (under the Azure hood). I can see the packet arrive at the ASA, and get routed out the ASA, but the PANOS never even sees the packet. I turn on PAT on the ASA and boom, all works like magic.
Anyone else come across this scenario?
No comments:
Post a Comment