topic Re: reconfigure DNS and PAN3020 firewall in General Topics

reconfigure DNS and PAN3020 firewall

EDSAadmin — Tue, 30 Sep 2014 21:33:47 GMT

Currently i two AD dns zones in on my DNS server (windows):

mycompanydom.com - internal domain

mycompanyplan.com - external domain where all our internet webservers and web applications live.

my A records in mycompanyplan.com point to internal non routable IPaddress for each internal server so the traffic does not go out the firewall and back in. We also have 3 IPSEC VPN tunnels where the dns zone information is replicated to. My problem that i run into is if a tunnel goes down then my users in those sites cannot get to the services they need because their dns query is resolving to a non routable internal IP and trying to go down the tunnel vs resolving to the external IP.

I would like to remove that zone completely from my DNS infrastructure and that way all dns queries to mycompanyplan.com resolve to the external IP's instead. My 3 satellite offices would route out their firewall to the external IP vs currently routing down the vpn tunnels. Is there a way to configure the PAN3020's in my HQ where all of my inbound web services reside to see the traffic and have it loop back without having to go out the external interfaces only to come back in? Not sure if i am making sense while writing this, so if you need clarification please let me know.

Maybe a another way to say this is, if a company has inbound web servers how is everyone setting up DNS and routing traffic when those web servers are in the same office but have need to be accessible externally? Is there a way to prevent that traffic from leaving the firewall only to come back in?

Re: reconfigure DNS and PAN3020 firewall

jperry1 — Tue, 30 Sep 2014 21:36:31 GMT

EDSAadmin

Sounds like you need to configure a U-Turn NAT Policy. You can access internal resources via a public IP address or public pointing A record. By using this link you will access the same A record that you would from the external and you will have access to the services. Use this link below and I have attached screenshots as well.

How to Configure U-Turn NAT

U-TURN NAT POLICY

SECURITY POLICY:

your security policy will vary based on your needs

Re: reconfigure DNS and PAN3020 firewall

hshah — Tue, 30 Sep 2014 22:30:14 GMT

Hello EDS admin,

Based on description U-Turn NAT will help in this scenario. But still few information is unclear.

How to Configure U-Turn NAT

Following Two Sentences are contradictory: Please clarify.

mycompanyplan.com - external domain where all our internet webservers and web applications live.

my A records in mycompanyplan.com point to internal non routable IPaddress for each internal server so the traffic does not go out the firewall and back in

Regards,

Hardik Shah

Re: reconfigure DNS and PAN3020 firewall

hshah — Tue, 30 Sep 2014 22:33:17 GMT

Hi EDSAdmin,

You can use public IP address across the tunnel. If traffic flows through Tunnel than NAT it to Private IP address.

If tunnel is down and its going through regular internet link than also server will be accessible through public IP.

Regards,

Hardik Shah

Re: reconfigure DNS and PAN3020 firewall

mmmccorkle — Tue, 30 Sep 2014 22:37:39 GMT

Indeed, we will need a U-Turn NAT configuration here.

In addition to the NAT documents provided above, here is a good illustration of how the Palo Alto appliance handles NAT and why the U-Turn NAT rules will have to be configured in a specific way that may not make sense at first.

Re: reconfigure DNS and PAN3020 firewall

mmmccorkle — Tue, 30 Sep 2014 22:40:50 GMT

In addition to my above NAT examples, here is our example of how to configure the U-Turn NAT.

Please let us know if you have any questions.

Re: reconfigure DNS and PAN3020 firewall

Retired Member — Wed, 01 Oct 2014 06:13:34 GMT

https://live.paloaltonetworks.com/servlet/JiveServlet/downloadBody/1517-102-7-11647/Understanding_NAT-4.1-RevC.pdf

Will help you

Re: reconfigure DNS and PAN3020 firewall

EDSAadmin — Thu, 02 Oct 2014 03:40:44 GMT

in the two sentences that you mentioned to clarify.

the a records i am referring to that point to non routable IP addresses, what i meant was the A records in my windows DNS server. i have zone there that is called mycompanyplan.com. in that zone all of my webservers A records have internal non routable ips for each webserver so they do not go out the firewall. what i want to do is delete that zone and only have my A records that are configured on network solutions and then as you guys have pointed out setup a u-turn rules.

Will i need a NAT and security rule for each web server, or can i do like jperry posted which from the way i am reading it allows one run to cover all my servers.

Re: reconfigure DNS and PAN3020 firewall

EDSAadmin — Thu, 02 Oct 2014 03:43:31 GMT

hshah wrote:

Hi EDSAdmin,

You can use public IP address across the tunnel. If traffic flows through Tunnel than NAT it to Private IP address.

If tunnel is down and its going through regular internet link than also server will be accessible through public IP.

Regards,
Hardik Shah

how would i set this up? would this be instead of the u-turn or in addition to adding the u-turn? what is the best practice/preferred method?

Re: reconfigure DNS and PAN3020 firewall

jperry1 — Thu, 02 Oct 2014 05:45:38 GMT

EDSAadmin

Yes you will need a Uturn NAT and security rule for each server to allow this to one. Because with out the U-Turn NAT rule you will not be able to route to the A record on the Public IP address and without the Security Policy you will not be able to allow traffic to your server. If you already have a security policy for your server then you don't need an additional security policy. Let me know if you have further questions

Also are you using Exchange Outlook anywhere? Is your internal domain name the same as you external domain name? If so that could be interesting and U-turn NAT may be the best solution but let me know the details. If you are using Exchange 2010 I have deployed that in multiple scenarios as well is 2007 and below. Let me know when you can.

Re: reconfigure DNS and PAN3020 firewall

hshah — Thu, 02 Oct 2014 13:59:04 GMT

Hello EDS Admin,

Following is easiest implementation for IPsec hosts. BELIEVE ME. THINK OVER THIS.

Hi EDSAdmin,

You can use public IP address across the tunnel. If traffic flows through Tunnel than NAT it to Private IP address.

If tunnel is down and its going through regular internet link than also server will be accessible through public IP.

Regards,

Hardik Shah