topic Re: Issue with my Palo Alto Lab in General Topics

Issue with my Palo Alto Lab

akhalighi — Fri, 26 Feb 2016 05:36:40 GMT

Hello folks

I have a strange issue in my lab , here is the scenario :

VM-100 on ESXi
PAN OS 7.0.5
Inside interface connected to internal zone (10.0.1.0/24 network)
outside interface connected to my home firewall ( 192.168.1.0/24 network)

Interfaces have IPs on the same range as their zones : 10.0.1.10 inside interface , 192.168.1.10 outside.
Modem IP is 192.168.1.1

- Lab workstations can ping inside interface successfully
- Firewall DNS is working , able to download URL filtering database , able to resolve DNS via outside interface
- Created a universal policy to allow any->any for now .
- both interfaces are using the same virtual router that has a static route to 0.0.0.0/0 for next hop 192.168.1.1(modem)
- Firewall is fully licensed .

Issue : Inside workstations unable to browse internet .

- Tried connecting both interfaces to default router - same

- Traffic log shows that DNS request is coming from internal host and it is allowed but it ends with "aged out" error . seems like there is no response . capture shows that request hits the inside interface but not going further .

- these are directly connected to interface so routing doesn't seem tobe the issue here .

any help would be appreciated.

Thanks

Re: Issue with my Palo Alto Lab

bmorris1 — Fri, 26 Feb 2016 09:15:38 GMT

Hi,

Do you have a DNS proxy configured?

If you do then check this article, it shows that if the firewall recieves a suspicious query then the DNS session from the the firewall to the DNS server will be set into a discard state.

https://live.paloaltonetworks.com/t5/Management-Articles/Blocking-Suspicious-DNS-Queries-with-DNS-Proxy-Enabled/ta-p/66037

hope this helps,

Ben

Re: Issue with my Palo Alto Lab

pulukas — Fri, 26 Feb 2016 11:34:04 GMT

Do you have a NAT rule from the inside zone to NAT on the outside interface?

Without one you 10 address would probably not get NAT for the trip tothe DNS server on the internet. Or internet access for the sites that resolve.

Re: Issue with my Palo Alto Lab

OtakarKlier — Fri, 26 Feb 2016 14:41:08 GMT

Hello,

Also check your routing from the 'outside' of the PAN to the modem and internet and vice versa.

Regards,

Re: Issue with my Palo Alto Lab

Lucky — Fri, 26 Feb 2016 17:33:25 GMT

Hi,

as pulukas pointed out - sounds like NAT issue in the virtual firewall, if allow-all is only policy you have. Simple -if you can reach public internet from firewall (download URL updateS) but can't reach anything from behind firewall, and only security policy is allow-all - than it's NAT.

On a further note - I have a fairly complex setup of ESXi with plenty of vlans and stuff running through my PA-200 at home; I am not sure I understood your layout completely - can you elaborate a bit? I am lost at what firewall connects to:

VM guests (10.0.1.x/24) -----> trust of VM_FW(10.0.1.10) -- Untrust of VM_FW(192.168.1.10) -------> Modem or firewall at 192.168.1.0?

Do you have trunk on ESXi or you are assigning interfaces to firewall, are your hosts behind firewall virtual machines (vm guests) or they are real devices in your home network? In any case, you are doing nat twice for those hosts behind VM_FW - do you have physical firewall box as well, or you have some of those modems with integrated security? I passed public IP onto my PA-200 and trunked ESXi server onto one port of FW, and am working with sub-interfaces for VMs inside of ESXi... prolly not helping you at all but anyways...

Best regards,

Luciano

Re: Issue with my Palo Alto Lab

akhalighi — Fri, 26 Feb 2016 21:10:12 GMT

Do I need a NAT really ? like from 10.0.1.0/24 network to 192.168.1.0/24 network ? I tried to create a NAT but I got rejected . it was saying there is an overlap of addresses . I did a source NAT .

Re: Issue with my Palo Alto Lab

akhalighi — Fri, 26 Feb 2016 21:11:05 GMT

no there is no DNS proxy . but DNS is on external network .

Re: Issue with my Palo Alto Lab

akhalighi — Fri, 26 Feb 2016 21:11:55 GMT

external interfface has Internet access , I confimred it by pinging outside machines and resovle public DNSs.

Re: Issue with my Palo Alto Lab

Lucky — Fri, 26 Feb 2016 22:27:32 GMT

Hi,

In order for hosts from 10.0.1.0/24 to access internet through their gateway 10.0.1.10 (trust zone IP) and further through 192.168.1.10 (untrust zone IP) you need to create NAT rule that will have tabs:

general: whatever the name of your nAT rule is 🙂

original packet: translate from TRUST zone, destination zone UNTRUST, interface any, service any, source address - your scope (10.0.1.0/24), destination address any;

translated packet: translation type: dynamic IP and port, address type: interface address, interface (ethernet - whatever is 192.168.1.10), ip address 192.168.1.10 (select from dropdown), leave "destination address translation" unchecked.

Voila, hosts from 10.0.1.0/24 should be able to access internet through TRUST and exit on UNTRUST, reverse translation for sessions is implied.

Try it and let us know if it helps.

Best regards,

Luciano

Re: Issue with my Palo Alto Lab

akhalighi — Sat, 27 Feb 2016 19:18:27 GMT

It's working ! I had a NAT in-place but it was wrong . I fixed it and it worked.