topic Re: No DNS, cannot ping anything above gateway in General Topics

No DNS, cannot ping anything above gateway

Altais — Wed, 07 Feb 2024 21:42:09 GMT

I'm trying to set up a PA-820 from scratch, but would like to update and set up rules before placing it on top of our network. Currently it is set up as a DHCP client, parallel to our office router, connected upstream to a Charter AP and modem (for some reason, this is the only way they'll give us a static IP and a high speed connection to the internet). The AP is the gateway with an IP of 192.168.1.1, which I can ping from the DHCP assigned IP of 192.168.1.53 from the management interface, which I changed to 192.168.0.2. However, I can't ping anything else above that. Attached are the interfaces and security rules. Can anyone take a look at this and help?

show interface all

total configured hardware interfaces: 5

name                    id    speed/duplex/state            mac address
--------------------------------------------------------------------------------
ethernet1/1             16    1000/full/up                  60:15:2b:67:14:10
ethernet1/2             17    ukn/ukn/down(autoneg)         60:15:2b:67:14:11
ethernet1/3             18    ukn/ukn/down(autoneg)         60:15:2b:67:14:12
dedicated-ha1           5     ukn/ukn/ukn(autoneg)          60:15:2b:67:14:05
dedicated-ha2           6     ukn/ukn/down(autoneg)         60:15:2b:67:14:06

aggregation groups: 0

total configured logical interfaces: 5

name                id    vsys zone             forwarding               tag                  address
------------------- ----- ---- ---------------- ------------------------ ------               ------------------
ethernet1/1         16    1    Untrusted        vr:default               0                    192.168.1.53/24
ethernet1/2         17    1    Trusted-Office   vr:default               0                    10.0.0.1/24
ethernet1/3         18    1    Guest Network to vr:default               0                    10.0.2.1/24
dedicated-ha1       5     1                     ha                       0                    N/A
dedicated-ha2       6     1                     ha                       0                    N/A

admin@OfficeFW> show rulebase security rules

Invalid syntax.
admin@OfficeFW> configure
Entering configuration mode
[edit]
admin@OfficeFW# show rulebase security rules
rules {
"Allow out" {
    profile-setting {
      group default;
    }
    to Untrusted;
    from Trusted-Office;
    source any;
    destination any;
    source-user any;
    category any;
    application any;
    service any;
    source-hip any;
    destination-hip any;
    action allow;
    log-setting default;
    rule-type interzone;
}
}
[edit]
admin@OfficeFW# show routing route

Invalid syntax.
[edit]
admin@OfficeFW# exit
Exiting configuration mode
admin@OfficeFW> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast

VIRTUAL ROUTER: default (id 1)
==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
0.0.0.0/0                                   0.0.0.0                                 10     A S              ethernet1/1
192.168.1.0/24                              192.168.1.53                            0      A C              ethernet1/1
192.168.1.53/32                             0.0.0.0                                 0      A H
total routes shown: 3

admin@OfficeFW> admin@OfficeFW> show interface all
Unknown command: admin@OfficeFW>
------------------------------------------------
ethernet1/1             16    1000/full/uadmin@OfficeFW> p                  60:15:2b:67:14:10
ethernet1/2             17    ukn/ukn/down(autoneg)         60:15:2b:67:14:11
ethernet1/3             18    ukn/ukn/down(autoneg)
   5     ukn/ukn/ukn(autoneg)          60:15:2b:67:14:05
dedicated-ha2           6     ukadmin@OfficeFW> n/ukn/down(autoneg)         60:15:2b:67:14:06

aggregation groups: 0

total configured logical interfaces: 5

admin@OfficeFW> total configured hardware interfaces: 5
Unknown command: total
           192.168.1.53/24
ethernet1/2         17    1    Trusted-Office   vr:default               0 admin@OfficeFW>                   10.0.0.1/24
ethernet1/3         18    1    Guest Network to vr:default               0                    10.0.2.1/24
dedicated-ha1       5     1
             ha                       0                    N/A
dedicated-ha2       6     1                    admin@OfficeFW> ha                       0                    N/A

Re: No DNS, cannot ping anything above gateway

SutareMayur — Thu, 08 Feb 2024 07:40:59 GMT

Hello @Altais

Please share connectivity diagram if possible. This will give more clarity.

Also, one query - why did you changed IP to 192.168.0.x ? Because, I understand that you have AP modem network as 192.168.1.x.

Re: No DNS, cannot ping anything above gateway

Altais — Thu, 08 Feb 2024 13:12:44 GMT

Pretty simple network, see the attached drawing.

Re: No DNS, cannot ping anything above gateway

JBowerman_SS — Thu, 08 Feb 2024 20:25:37 GMT

You'll probably need to NAT to your internal IP space to the external IP assigned by the the wifi modem using an interface NAT. The cable modem most likely does not know how to return/route the 10.x.x.x or 192.168.0.0/24 network traffic back to the firewall.

If you can get into the cable modem, you can add static routes on the modem to your subnets behind the firewall directly to avoid the NAT.

Re: No DNS, cannot ping anything above gateway

OtakarKlier — Thu, 08 Feb 2024 20:56:11 GMT

Hello,

Are you sourcing your ping from the management interface? What does the logs show? Most likely causes:

1. Security policy incorrect

2. Nat policy incorrect

3. Missing routes in virtual router.

Setting all policies to log at session end should allow you to see all the traffic the data plane sees, allowed and denied.

Regards,

Re: No DNS, cannot ping anything above gateway

BPry — Thu, 08 Feb 2024 21:17:03 GMT

@Altais,

Just going to back things off a bit and ask a rather simple question that I'm not seeing, but how are you expecting your MGMT connection to be able to access anything but your laptop when it's directly plugged in? There's nothing in your diagram showing where your MGMT connection is actually plugged into anything, outside of the fact that I'm assuming you have it plugged into your laptop.

Your cable modem isn't going to know how to route traffic to a random 192.168.0.1 client if it doesn't have a route to it, but you're also kind of overcomplicating things with this setup. I personally wouldn't recommend giving your MGMT connection a 182.168.1.0/24 address if you're treating this as your untrust zone. You could pop it into your trust zone and just have it restricted via permitted-ip if you want, or you could just put it in it's own dedicated MGMT zone if you wanted to go that route as well. Nothing that you've included in your post (unless I glanced over it) shows that your cable modem or your PA-820 would have any idea how to route that 192.168.0.1 address however.
What's likely happening because of this is that your PA-850 is following your default route to the cable modem, and your cable modem not having a route sends that out it's default gateway off to Charter. Therefore nothing you're doing from a policy standpoint really matters here, your PA-850 isn't routing the traffic properly.

Re: No DNS, cannot ping anything above gateway

Altais — Fri, 09 Feb 2024 20:51:28 GMT

Thanks guys! I think BPry is probably the closest one to the solution, since I can see packets coming in and packets going out, but they're all aging out. What I'm still unclear on, is if software/definition updates can only come in through the management interface, or any interface linked to an appropriate management profile?

Re: No DNS, cannot ping anything above gateway

BPry — Fri, 09 Feb 2024 20:56:30 GMT

@Altais,

Take a look at service routes HERE if you want to utilize a dataplane interface instead of the management interface. You don't need to utilize the management interface if you don't want to. You can utilize interface management profiles and service routes if you just want to disconnect your MGMT port completely.
Just keep in mind that if you're going to utilize an interface-management-profile and enable management from a dataplane interface, you want to ensure it's properly secured either by security policy or better through permitted-ip assigned to the profile.