Interzone Static Routing

Reply
L1 Bithead

Interzone Static Routing

Hi all, I'll preface this as I'm the sole networking guy at my job and I'm still green. Apologies for any dumb questions, I've tried to read the manual for relevant info and used my google-fu to no avail.

 

I'm using a PA-3020 on firmware 8.0.6.

 

I've been asked to integrate a new Cisco ASA for a financial system that allows a tunnel between my site, and their servers to load the webpage client for the software.

 

I've setup a DMZ for the ASA, and confirmed with the other party that their tunnel is up and able to communicate. So no issues on the DMZ side.

 

I was told to institute static routes to allow hosts to traverse via the ASA over the tunnel. The ASA has two interfaces configured, one for WAN, which is in our DMZ on the IP 10.10.254.1.

 

The other ASA interface is meant for our internal LAN, and the interface is configured for 10.10.3.253.

 

I'm not 100% sure but I have a feeling my static route is not functioning as intended. Setting a route via windows to the ASA's internal interface (10.10.3.253) will allow me to traverse the tunnel to the needed webpage. Similarly, using another L3 device (velocloud) with static routes set to the ASA's internal IP (10.10.3.253) also allows me traverse the tunnel to the web page.

 

Looking at the CLI, I confirmed the routing table and tested the route and it seems to forward it to ASA's LAN interface at 10.10.3.253. I've checked my firewall security policies, and explicitly allowed traffic on my 10.10.3.0/24 segment to and from the ASA's interface at 10.10.3.253. Is there anything I've missed, or misconfigured?

 

A tracert via windows reveals the following: 

 

C:\Users\sferguson>tracert -d 208.64.237.43                                                                                                                                                                                                     Tracing route to 208.64.237.43 over a maximum of 30 hops                                                                                                                                                                                          1    <1 ms    <1 ms    <1 ms  10.10.3.111                                                                               2    22 ms    22 ms    23 ms  208.*.237.43

 

Which is indicitivate to me for traversal over a tunnel

My tests:

 

 

*@PA-3020> show routing fib

--------------------------------------------------------------------------------
virtual-router name: Primary VR
interfaces:
   ethernet1/3 ethernet1/4 ethernet1/5 ethernet1/12
   tunnel tunnel.99 tunnel.100 tunnel.101


route table:
flags: u - up, h - host, g - gateway, e - ecmp, * - preferred path


id      destination           nexthop            flags  interface          mtu
--------------------------------------------------------------------------------
91      0.0.0.0/0             72.*.182.1         ug     ethernet1/3        1500
7       10.10.1.0/24          0.0.0.0            u      tunnel.99          1500
71      10.10.2.0/24          0.0.0.0            u      tunnel.101         1500
30      10.10.3.0/24          0.0.0.0            u      ethernet1/4        1500
29      10.10.3.111/32        0.0.0.0            uh     ethernet1/4        1500
135     10.10.254.0/24        0.0.0.0            u      ethernet1/5        1500
134     10.10.254.254/32      0.0.0.0            uh     ethernet1/5        1500
12      10.99.99.0/24         10.99.99.0         ug     tunnel             1500
76      40.*.92.104/29        0.0.0.0            u      ethernet1/12       1500
75      40.*.92.106/32        0.0.0.0            uh     ethernet1/12       1500
88      72.*.182.0/29         0.0.0.0            u      ethernet1/3        1500
87      72.*.182.2/32         0.0.0.0            uh     ethernet1/3        1500
147     207.*.128.0/21        10.10.3.253        ug     ethernet1/4        1500
148     207.*.139.0/25        10.10.3.253        ug     ethernet1/4        1500
149     208.*.237.43/32       10.10.3.253        ug     ethernet1/4        1500
150     208.*.237.44/32       10.10.3.253        ug     ethernet1/4        1500
--------------------------------------------------------------------------------


*@PA-3020> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: Primary VR (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
0.0.0.0/0                                   40.*.92.105                             200      S              ethernet1/12
0.0.0.0/0                                   72.*.182.1                              10     A S              ethernet1/3
10.10.1.0/24                                0.0.0.0                                 10     A S              tunnel.99
10.10.2.0/24                                0.0.0.0                                 10     A S              tunnel.101
10.10.3.0/24                                10.10.3.111                             0      A C              ethernet1/4
10.10.3.111/32                              0.0.0.0                                 0      A H
10.10.254.0/24                              10.10.254.254                           0      A C              ethernet1/5
10.10.254.254/32                            0.0.0.0                                 0      A H
10.99.99.0/24                               10.99.99.0                              10     A S              tunnel
40.*.92.104/29                              40.*.92.106                             0      A C              ethernet1/12
40.*.92.106/32                              0.0.0.0                                 0      A H
72.*.182.0/29                               72.*.182.2                              0      A C              ethernet1/3
72.*.182.2/32                               0.0.0.0                                 0      A H
207.2*.128.0/21                             10.10.3.253                             1      A S              ethernet1/4
207.2*.139.0/25                             10.10.3.253                             1      A S              ethernet1/4
208.*.237.43/32                             10.10.3.253                             1      A S              ethernet1/4
208.*.237.44/32                             10.10.3.253                             1      A S              ethernet1/4
total routes shown: 17

*@PA-3020> test routing fib-lookup virtual-router "Primary VR" ip 208.*.237.44

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router:   Primary VR
destination:      208.*.237.44
result:
  via 10.10.3.253 interface ethernet1/4, source 10.10.3.111, metric 1
--------------------------------------------------------------------------------

*@PA-3020> test security-policy-match from "LAN Zone" to "LAN Zone" source 10.10.3.24 destination 10.10.3.253 destination-port 443 application web-browsing protocol 6

"*-1; index: 14" {
        from "LAN Zone";
        source any;
        source-region none;
        to "LAN Zone";
        destination 10.10.3.253;
        destination-region none;
        user any;
        category any;
        application/service  any/any/any/any;
        action allow;
        icmp-unreachable: no
        terminal yes;
}

 

 

Diagram for reference: https://imgur.com/a/dsXoBKJ


Accepted Solutions
L7 Applicator

There will likely be a conflict on the internal network as to where packets need to be routed. Hosts may receive packets from the asa, but will use their default gateway to reply, causing a loop which the firewall won't like

This could be solved by having the ASA source NAT all outgoing packets behind it's internal IP

 

 

Some more details might help as it's not entirely clear what the intention of this setup is, with the ASA having one leg on the internal network

 

I think, if I understand your setup correctly,  your design may fare better if you add the asa external interface on the outside ISP link, and connect the internal interface to the dmz interface on the Palo

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
Cyber Elite

Good Day

 

I am re-reading your message about 5x now and it is not really clear what the issue is.

Perhaps you could explain.

 

I understand you did a tracert from a Windows machine:

 

C:\Users\sferguson>tracert -d 208.64.237.43                                                                                                                                                                                                     Tracing route to 208.64.237.43 over a maximum of 30 hops                                                                                                                                                                                          1    <1 ms    <1 ms    <1 ms  10.10.3.111                                                                               2    22 ms    22 ms    23 ms  208.64.237.43

 

So what was the default gateway on this windows machine... 10.10.3.111 or 10.10.10.253?

What was the IP of the Windows computer?

Did you do your test from the LAN zone?

 

After this, I am just looking at what appears to be OK routing table entries.

 

Can you describe how the traffic is supposed to flow, stating what the Src IP is supposed to be, and how the traffic is supposed to route, hitting interface, using what IP, etc.

 

I think your issue is simple to resolve, but right now, I cannot understand what is broken.

 

 

Help the community: Like helpful comments and mark solutions
L7 Applicator

There will likely be a conflict on the internal network as to where packets need to be routed. Hosts may receive packets from the asa, but will use their default gateway to reply, causing a loop which the firewall won't like

This could be solved by having the ASA source NAT all outgoing packets behind it's internal IP

 

 

Some more details might help as it's not entirely clear what the intention of this setup is, with the ASA having one leg on the internal network

 

I think, if I understand your setup correctly,  your design may fare better if you add the asa external interface on the outside ISP link, and connect the internal interface to the dmz interface on the Palo

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

L1 Bithead

I believe you're correct on the loop with the ASA, and it makes sense when you explain it like that.

To make thing as simple as possible, I've set the ASA up on it's own subnet, and the Palo will simply handle all routing between the subnet.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!