topic Need some guidance on the VM series implementation in General Topics

Need some guidance on the VM series implementation

nitz-sw — Thu, 27 Aug 2020 07:35:18 GMT

Hi there,

I have inherited the current network and need some help in replacing the firewall for like to like. We have a MPLS network connecting all our offices and an external firewall managed by the ISP. Traffic from all sites go out via the external firewall. I am replacing an old ASA with the PA-VM Series firewall as an internal firewall in one of our offices and experiencing issues with return traffic. Our core switch does routing for some of the vlans (subinterfaces on the core switch) and ASA does routing some of the vlans (subinterfaces for DMZ, guest,contractors vlans).

We have multiple ESX hosts and I am installing 2 PA instances on 2 different hosts in Active Passive set up. I have set up the PA's and added port groups on the ESX hosts and subinterfaces in the PA as explained in the diagram. I have a default route on the core switch to send all traffic to subinterface ( Eth1/2.11) as I want all traffic to out via PA. On the PA, I have a default route to Eth1/3 and also a static route to internal VLANS (to make PA aware of the rest of the VLAN's) This is still in testing mode and I would eventually enable RIP on the PA as the core switch runs RIP.

I also have a NO NAT policy because it's an internal firewall and a security policy to allow outbound traffic.

Issue: I can see traffic going out the untrust interface but firewall is dropping the return traffic. Packet capture shows that the return traffic ends up on the trust interface Eth1/2.11 and hence the packets are being dropped.

Re: Need some guidance on the VM series implementation

DelvinC — Thu, 27 Aug 2020 17:27:16 GMT

Does your core switch have layer 3 interfaces for VLAN3 and VLAN11? And, were the packet captures for source or destination in VALN11?

Re: Need some guidance on the VM series implementation

nitz-sw — Thu, 27 Aug 2020 21:24:13 GMT

Yes the core switch has layer 3 interfaces for VLAN3 and VLAN 11 as shown in the diagram ? The packet captures were done with the source IP of 192.168.20.10 from a VM on VLAN 20 which has gateway as another subinterface (192.168.20.1) on the firewall. Diagram updated. (VLAN 20 does not have a layer3 interface on the core)

The capture shows packet flow from the VM to its gateway 192.168.20.1 (Trust) out to Untrust and the Gateway (192.168.3.1)

Return traffic from 192.168.3.1 hits the core switch and is going back via the trusted interface 192.168.11.1 (VLAN 11) following the default route which is being dropped by firewall.

Re: Need some guidance on the VM series implementation

OtakarKlier — Fri, 28 Aug 2020 21:08:16 GMT

Hello,

Check the traffic logs as you may have missed a policy?

Regards,

Re: Need some guidance on the VM series implementation

DelvinC — Fri, 28 Aug 2020 21:20:25 GMT

Sounds like there is some asymmetric routing in the environment.

Are there any routes (static or dynamic) on the core switch to 192.168.20.0/24 or perhaps a summary route.

A traceroute from 192.168.20.10 and another traceroute from the destination should help identify any asymmetric routing paths in the environment.