topic Re: Trouble routing from Guest zone to Internal Server in General Topics

Trouble routing from Guest zone to Internal Server

cnorwich — Tue, 06 Feb 2024 20:33:53 GMT

I'm not sure where to turn from here but my organization is trying to do a configuration we haven't set up before related to our student self-service system.

To try and summarize the issue, we have a guest-wireless zone that we need to allow anybody access to another server that is internal on our production network. Our system architect registered a public IP address to our ISP with a URL so what we're trying to do is allow guest-wifi to this public URL and then let it hit the internal server.

This is working externally from the organization. There is a NAT setup to allow external traffic to reach the service via the public IP/URL, but trying to go from the Guest Zone to the server is giving problem. I have had Palo support troubleshooting with me and they were not able to come up with a solution during our call, so I'm turning here.

What some other Palo documentation and videos had us do was the following NAT and Security Policy:

NAT

Source Zone: inside

Dest. Zone: Outside

Source Addr: Server Private IP

Src. Translation: Server Public IP

This worked for anything external but trying to recreate one for Guest doesn't seem to do anything

Security Policy

Source Zone: Guest

Source Addr: Any

Dest. Zone: inside

Dest. Addr: server Public IP

Ports: 80/443

Traffic Monitor for the above security policy shows allowed traffic with a result of Application: Incomplete.

I am completely stumped and feel like we're making it a lot harder than it really is, so any guidance would be immensely helpful.

Re: Trouble routing from Guest zone to Internal Server

Claw4609 — Tue, 06 Feb 2024 21:01:26 GMT

Is the guest zone hitting the public IP? Presumably your NAT rule is bi-directional then? Or do you have a separate NAT policy for inbound connections?

If you look in the details of the session you see allowed, in both the source and destination boxs does the "NAT IP" part appear correct?

Re: Trouble routing from Guest zone to Internal Server

OtakarKlier — Tue, 06 Feb 2024 21:45:49 GMT

Hello,

Sounds like you need a U-Turn NAT. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC

Also make sure you have security policies allowing the traffic.

Regards,

Re: Trouble routing from Guest zone to Internal Server

cnorwich — Wed, 07 Feb 2024 14:04:22 GMT

There is a separate destination NAT for external users. My source IP is from our 10.193.0.0 subnet (Guest) and guest interface ethernet 1/5.93. The destination is listed as the public IP with a NAT IP displayed as the server's private IP. So to me, it does appear correct. We have other configurations for the Guest wifi to reach internal services, but those are handled by the load balancer in the DMZ, so we're not sure where the disconnect is occurring.

Re: Trouble routing from Guest zone to Internal Server

cnorwich — Wed, 07 Feb 2024 14:06:33 GMT

I did come across something regarding U-Turn NAT and I did try and use the above link for reference, as well as another online video of someone explaining it and it makes sense to me, but when trying to implement I'm still not able to reach that service. ☹️

Re: Trouble routing from Guest zone to Internal Server

cnorwich — Wed, 07 Feb 2024 14:28:39 GMT

After a little more looking into the NAT policy, I recognized the error I had. U-Turn was the correct solution but it was the particular interface I was using on the source translation. Correcting that on my end immediately got the service working. Much thanks to all.