topic Re: Getting to internal servers in General Topics

Getting to internal servers

SNikolaidis — Thu, 29 Jun 2017 19:07:46 GMT

Hello all,

I have a Guest/BYOD Wireless Zone that can get out to the internet just fine. The internet & internal network can get to my webservers just fine. The problem im having is that my Wireless zone can not get an internallyu hosted website from the public IP of my webserver. I do not want any kind of connection or link of the wireless and internal zones (ie be on guest wireless and be able to access anything on the internal network). Any help would be appreciated!

Re: Getting to internal servers

BPry — Thu, 29 Jun 2017 19:14:42 GMT

@SNikolaidis,

IS the public IP of your webserver the same public IP that is getting NATd for to your Guest/BYOD wireless zone users?

Re: Getting to internal servers

acc6d0b3610eec313831f7900fdbd235 — Thu, 29 Jun 2017 19:20:56 GMT

Hi @SNikolaidis

If my understanding is correct, you have the users in the Wireless network, that need to go out to the Internet to hit your Webserver public IP address and come back in to access the actual DMZ server.

If this is the case, we are talking about a uTurn-NAT situation, and it needs to be explicitly configured in the NAT and security policies.

Take a look at this article and let me know if this is your exact scenario.

https://live.paloaltonetworks.com/t5/Learning-Articles/DotW-U-Turn-NAT-Issue/ta-p/53115

Re: Getting to internal servers

SNikolaidis — Thu, 29 Jun 2017 19:21:44 GMT

@BPry

The outward internet interface is x.x.x.70 the public ip of the server is x.x.x.10 all on the same class c if that's what you are asking

Re: Getting to internal servers

acc6d0b3610eec313831f7900fdbd235 — Thu, 29 Jun 2017 19:36:15 GMT

I think this link video will help you.

https://youtu.be/Bdbn1pbe74o

If I try to explain here it will not be very interactive 🙂

Re: Getting to internal servers

BPry — Thu, 29 Jun 2017 19:58:23 GMT

@SNikolaidis,

I actually thought that you were trying to access the public IP of your web server while the NAT policy had all traffic from this zone sharing that same IP.

I suspect that @acc6d0b3610eec313831f7900fdbd235 is correct and you simply need to configure the U-turn correctly to get this to function.

Re: Getting to internal servers

SNikolaidis — Thu, 29 Jun 2017 20:23:43 GMT

Thank you I will try it as soon as I get home, Does it make a differance if the server is not in a DMZ?

Re: Getting to internal servers

BPry — Thu, 29 Jun 2017 21:03:33 GMT

That would depend on knowing a little bit more about your routing statements, but in the vast majority of circumstances you would still need a U-Turn.

Re: Getting to internal servers

SNikolaidis — Thu, 29 Jun 2017 22:03:09 GMT

@BPry @acc6d0b3610eec313831f7900fdbd235

The U-Turn works for my internal network, the problem with the wireless network is it is independant, it only shares the internet interface Eth1/1 and the virtual router with the rest of the network, NAT & Policy & DHCP & DNS Proxy take it straight out to the internet and has filtering and security applied to the Security Policy. It seems to me I need a way to differentiate destination of internet traffic and send the desination 10.66.6.1/16 to that Eth1/8 interface were the 10.66.6.1/16 network resides

Re: Getting to internal servers

BPry — Thu, 29 Jun 2017 22:33:27 GMT

@SNikolaidis,

You could utilize PBF for that pretty easily but you shouldn't really have to. I feel like if you shared a network diagram along with your NAT policies and routing table we could likely get this straightened out without resorting to PBF.

Re: Getting to internal servers

SNikolaidis — Thu, 29 Jun 2017 23:24:51 GMT

@BPry

Re: Getting to internal servers

SNikolaidis — Thu, 29 Jun 2017 23:35:01 GMT

@BPry

But on the firewall is where DHCP, DNS Proxy (8.8.8.8) exist for the gateway 10.66.6.1 . The vlan 666 is completely cut off from anything other than the internet that which 10.66.6.1 gets through Security & NAT Policy to the ETH1/1 x.x.x.70/24 .

We want to keep this wireless network completely isolated from everything other than the internet. That being said, type our domain name into chrome and it just times out. Internally and Publicly everything loads just fine.

Re: Getting to internal servers

BPry — Fri, 30 Jun 2017 13:37:09 GMT

@SNikolaidis,

With how you describe it I would expect to actually see the traffic hitting the firewall as it comes back from your cable modem or at least see it trying to hit the untrust zone on your firewall. Have you enabled logging on the default interzone rule and checked the logs to see if you aren't simply blocking the traffic from reaching the server? If you can hit it with intrazone perfectly in your testig I would expect that you simply need to create a security policy to allow the zone tied to vlan 666 to access that web server.

Re: Getting to internal servers

SNikolaidis — Mon, 03 Jul 2017 14:52:31 GMT

@BPry

Have it working, had to set up another interface to an outside address on eth1/7 and set up a new virtual router that has my wireless network eth1/8 and 1/7 in it with a static route to the internet. May not be the best solution or best practice, but it works.

Re: Getting to internal servers

BPry — Mon, 03 Jul 2017 14:54:34 GMT

@SNikolaidis,

Actually that may be the best solution for actually making sure that it won't have any chance to get into your production network.