https://live.paloaltonetworks.com/t5/general-topics/dns-rewrite-matching-wrong-nat-rule/m-p/292765#M77442 <P>Think this needs a case.&nbsp; Open to any suggested workarounds.</P><P>&nbsp;</P><P>Connecting two overlapping networks with NAT.&nbsp; (why? we have to)</P><P>192.168.1.0&nbsp; (zone1) --&nbsp; PA --&nbsp; (zone2)&nbsp; 192.168.1.0</P><P>policy routing in place, come in zone1 interface go out zone2 and vice versa</P><P>Doing network nats at a /24 in this example</P><P>&nbsp;</P><P>If I do two rules, natting the overlapping network to the same - ie symmetrical nat -&nbsp; DNS rewrite works:&nbsp;</P><P>src: 192.168.1.0/24 to 10.1.1.0 (zone2) - dest: 10.1.1.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>src: 192.168.1.0/24 to 10.1.1.0 (zone1) - dest: 10.1.1.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>both networks will 10.1.1.0 towards the firewall - firewall has policy routes.</P><P>All is good, dns requests get fixed up in either direction correctly.</P><P>traffic passes correctly</P><P>&nbsp;</P><P>If I nat to a different network in each direction, then only the first hit matches, its as if the DNS rewrite is matching on first ip address match only and ignoring the zone.&nbsp; &nbsp;This fails to match on direction, and returns the wrong DNS rewrite entry for the second rule</P><P>src: 192.168.1.0/24 to 10.1.1.0 (zone2) - dest: 10.1.2.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>src: 192.168.1.0/24 to 10.1.2.0 (zone1) - dest: 10.1.1.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>zone1 network has a 10.1.1.0/24 route towards firewall</P><P>zone2 network has a 10.1.2.0/24 route towards the firewall</P><P>firewall runs policy routing</P><P>&nbsp;</P><P>in this example, a server in Zone1 does a DNS request to a NS in Zone2, the response is correctly rewritten to 10.1.1.x</P><P>But in the other direction, the DNS answer should be 10.1.2.x but its getting matched on the NAT rule in the wrong direction</P><P>&nbsp;</P><P>If I flip the order of the rules, the problem is that only the first destination nat is matching dns rewrite even though direction is wrong</P><P>&nbsp;</P><P>Anyone else have this issue or know of a workaround - or why dns rewrite is not matching with zone context?</P> Mon, 14 Oct 2019 02:09:22 GMT william.dolbow 2019-10-14T02:09:22Z https://live.paloaltonetworks.com/t5/general-topics/dns-rewrite-matching-wrong-nat-rule/m-p/292765#M77442 <P>Think this needs a case.&nbsp; Open to any suggested workarounds.</P><P>&nbsp;</P><P>Connecting two overlapping networks with NAT.&nbsp; (why? we have to)</P><P>192.168.1.0&nbsp; (zone1) --&nbsp; PA --&nbsp; (zone2)&nbsp; 192.168.1.0</P><P>policy routing in place, come in zone1 interface go out zone2 and vice versa</P><P>Doing network nats at a /24 in this example</P><P>&nbsp;</P><P>If I do two rules, natting the overlapping network to the same - ie symmetrical nat -&nbsp; DNS rewrite works:&nbsp;</P><P>src: 192.168.1.0/24 to 10.1.1.0 (zone2) - dest: 10.1.1.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>src: 192.168.1.0/24 to 10.1.1.0 (zone1) - dest: 10.1.1.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>both networks will 10.1.1.0 towards the firewall - firewall has policy routes.</P><P>All is good, dns requests get fixed up in either direction correctly.</P><P>traffic passes correctly</P><P>&nbsp;</P><P>If I nat to a different network in each direction, then only the first hit matches, its as if the DNS rewrite is matching on first ip address match only and ignoring the zone.&nbsp; &nbsp;This fails to match on direction, and returns the wrong DNS rewrite entry for the second rule</P><P>src: 192.168.1.0/24 to 10.1.1.0 (zone2) - dest: 10.1.2.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>src: 192.168.1.0/24 to 10.1.2.0 (zone1) - dest: 10.1.1.0/24 to 192.168.1.0/24 DNS rewrite - reverse</P><P>zone1 network has a 10.1.1.0/24 route towards firewall</P><P>zone2 network has a 10.1.2.0/24 route towards the firewall</P><P>firewall runs policy routing</P><P>&nbsp;</P><P>in this example, a server in Zone1 does a DNS request to a NS in Zone2, the response is correctly rewritten to 10.1.1.x</P><P>But in the other direction, the DNS answer should be 10.1.2.x but its getting matched on the NAT rule in the wrong direction</P><P>&nbsp;</P><P>If I flip the order of the rules, the problem is that only the first destination nat is matching dns rewrite even though direction is wrong</P><P>&nbsp;</P><P>Anyone else have this issue or know of a workaround - or why dns rewrite is not matching with zone context?</P> Mon, 14 Oct 2019 02:09:22 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-rewrite-matching-wrong-nat-rule/m-p/292765#M77442 william.dolbow 2019-10-14T02:09:22Z https://live.paloaltonetworks.com/t5/general-topics/dns-rewrite-matching-wrong-nat-rule/m-p/292772#M77443 <P>We are running 9.0.4</P><P>And</P><P>In the second scenario where the DNS rewrite does not work, the traffic passes fine.&nbsp; It just that the NAT rules are smart enough to have zone context and it appears the DNS rewrite does not.</P><P>&nbsp;</P> Mon, 14 Oct 2019 02:30:47 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-rewrite-matching-wrong-nat-rule/m-p/292772#M77443 william.dolbow 2019-10-14T02:30:47Z