Issue passing traffic thru PA 500

Reply
Highlighted
L0 Member

Issue passing traffic thru PA 500

Hello I'm not very proficent in configuring PA and been trying for 3 weeksto do it. So now I figure I ask for help and learn something in the process. So my network layout: I have a Cisco ASA that is pointed towards the internet and is doing NAT/PAT on the outside interface, the inside interface of the firewall is 10.1.1.1 which is going to my ASR1000 whos interface is 10.1.1.3. The inside interface of the ASR is 192.168.1.1 which connects to a stacked 3750G switch who's address is 192.168.1.221. which then has a 3548 poe switch connected to the stack with ArubaAP 's hang off that and an Aruba Controller hanging off the 3750 Stack.

 

In my attempt to add in the PA500 it is coonected to the ASR off a interface whose address is 10.10.20.1/30 and connects to the PA500 with a IP of 10.10.20.2/30. On the Palo Alto I have created an Aggeragtion group with two ports with LACP enabled connected to the 3750 G Stack with a port channel. The AG is a layer 3 interface. The PA 500's management address is 192.168.1.224.

 

So what I'm looking to do is Asymtric, and to not change alot. I wanted to leave the networks default route of pc's to go to the 192.168.1.1 interface and the router send the traffic out the ASA to the internet. What I want to do is the return traffic from  the internet I'm sending to the PA500, then I like to send that over the AG link to the 3750G Stack switch who's address is 192.168.1.221.

 

I know what changes I need to make on the ASR to send the traffic to the PA500, I listed them below. The changes takes the traffic destined for the Aruba Controller and 3750 Switch and send it to the PA500 at 10.10.20.2.

 

no ip route 192.168.1.0 255.255.255.0 192.168.1.221
ip route 192.168.1.0 255.255.255.0 10.10.20.2
no ip route 192.168.90.0 255.255.255.0 192.168.1.202
ip route 192.168.90.0 255.255.255.0 10.10.20.2
no ip route 192.168.91.0 255.255.255.0 192.168.1.202
ip route 192.168.91.0 255.255.255.0 10.10.20.2

 

 

My issues I think is with configuring the PA500 virtual router and the policys. I also think maybe I should used a layer 2 AG with just vlans. So what I am going to do is put a copy of the PA500 below and hopefully the good knowledgable people here can help me resolve what I'm missing :-)

 

On the PA 500, I defined 3 vlans, (90, 91, 1) I created static routes in the virtual router  to send traffic for the 3 subnets of the vlan ( which is to the AG1). I then created a police making the traffic coming in from the 10.10.20.2 (untrusted) is sent to the the trusted layer layer 3 subinterfaces on the AG link.

 

config {
mgt-config {
users {
admin {
phash $1$aetgwbot$e79D5CCh8NJy0HOVGCFrP0;
permissions {
role-based {
superuser yes;
}
}
}
vgriffin {
permissions {
role-based {
superuser yes;
}
}
phash $1$acbaigvx$.ZGUIe2Ws8H/G1xpXJ5.V.;
}
PAN-test-user {
permissions {
role-based {
deviceadmin;
}
}
phash $1$ptxquhwr$prENdQI7VP1R5xG9/Qd9.1;
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
sessions-per-hour 10;
destinations-per-hour 10;
session-length {
minimum-bytes 50;
maximum-bytes 100;
}
}
unknown-udp {
sessions-per-hour 10;
destinations-per-hour 10;
session-length {
minimum-bytes 50;
maximum-bytes 100;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/1 {
virtual-wire {
lldp {
enable no;
}
}
}
ethernet1/2 {
link-speed auto;
link-duplex auto;
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
lldp {
enable no;
}
ip {
INside;
}
}
}
ethernet1/7 {
aggregate-group ae1;
link-speed auto;
}
ethernet1/8 {
aggregate-group ae1;
link-speed auto;
link-duplex auto;
}
}
loopback {
units;
}
vlan {
units {
vlan.1 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
}
vlan.91 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
}
vlan.90 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
}
}
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
}
tunnel {
units;
}
aggregate-ethernet {
ae1 {
layer3 {
lacp {
high-availability {
use-same-system-mac {
enable no;
}
}
mode active;
transmission-rate slow;
enable yes;
}
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
lldp {
enable no;
}
units {
ae1.1 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
ip {
"Wired network";
}
tag 1;
interface-management-profile Ping;
}
ae1.90 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
ip {
"Wireless network";
}
tag 90;
interface-management-profile Ping;
}
ae1.91 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
adjust-tcp-mss {
enable no;
}
ip {
"Guest network";
}
tag 91;
interface-management-profile Ping;
}
}
}
}
}
}
vlan {
"Vlan Object" {
virtual-interface {
interface vlan;
}
}
}
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
zone-protection-profile {
"Protecting network" {
flood {
tcp-syn {
red {
alarm-rate 10000;
activate-rate 10000;
maximal-rate 40000;
}
enable yes;
}
icmp {
red {
alarm-rate 10000;
activate-rate 10000;
maximal-rate 40000;
}
enable yes;
}
icmpv6 {
red {
alarm-rate 10000;
activate-rate 10000;
maximal-rate 40000;
}
enable no;
}
other-ip {
red {
alarm-rate 10000;
activate-rate 10000;
maximal-rate 40000;
}
enable yes;
}
udp {
red {
alarm-rate 10000;
activate-rate 10000;
maximal-rate 40000;
}
enable yes;
}
}
scan {
8001 {
action {
alert;
}
interval 2;
threshold 100;
}
8002 {
action {
alert;
}
interval 10;
threshold 100;
}
8003 {
action {
alert;
}
interval 2;
threshold 100;
}
}
discard-tcp-split-handshake yes;
discard-overlapping-tcp-segment-mismatch yes;
discard-icmp-large-packet yes;
}
}
interface-management-profile {
Ping {
https yes;
ping yes;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
Vlans {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
routing-options {
graceful-restart {
enable yes;
}
}
}
ospf {
enable no;
reject-default-route no;
}
}
interface [ ae1 ae1.1 ae1.90 ae1.91 ethernet1/2 vlan vlan.1 vlan.90
vlan.91];
ecmp {
algorithm {
ip-modulo;
}
}
routing-table {
ip {
static-route {
"default route" {
nexthop {
ip-address 192.168.1.221;
}
interface ae1.1;
metric 10;
destination 0.0.0.0/0;
}
Wireless {
nexthop {
ip-address 192.168.1.202;
}
interface ae1.90;
metric 10;
destination 192.168.90.0/24;
}
"Guest Network" {
nexthop {
ip-address 192.168.1.202;
}
interface ae1.91;
metric 10;
destination 192.168.91.0/24;
}
Wired {
nexthop {
ip-address 192.168.1.221;
}
interface ae1.1;
metric 10;
destination 192.168.1.0/24;
}
controller {
nexthop {
ip-address 192.168.90.230;
}
interface ae1.90;
metric 10;
destination 192.168.1.202/32;
}
switch {
nexthop {
ip-address 192.168.1.230;
}
interface ae1.1;
metric 10;
destination 192.168.1.221/32;
}
}
}
}
}
}
}
deviceconfig {
system {
ip-address 192.168.1.224;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA-500;
default-gateway 192.168.1.1;
dns-setting {
servers {
primary 208.67.222.222;
secondary 208.67.220.220;
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
trust {
network {
virtual-wire;
}
}
untrust {
network {
virtual-wire;
}
}
Internet {
network {
layer3;
zone-protection-profile "Protecting network";
}
enable-user-identification yes;
}
LAN {
network {
layer2;
zone-protection-profile "Protecting network";
}
enable-user-identification yes;
}
Vlans {
network {
layer3 [ vlan.90 vlan.91 vlan.1];
zone-protection-profile "Protecting network";
}
enable-user-identification yes;
}
Untrusted-L3 {
network {
layer3 [ ethernet1/2 vlan];
}
}
Trust-L3 {
network {
layer3 [ ae1 ae1.1 ae1.90 ae1.91];
}
}
Trust-L2 {
network {
layer2;
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules {
"coming from internet" {
to Trust-L3;
from Untrusted-L3;
source any;
destination [ "Guest network" "Wired network" "Wireless networ
k"];
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
profile-setting {
profiles {
virus default;
spyware default;
vulnerability default;
}
}
}
rule1 {
from trust;
to untrust;
source any;
destination any;
service any;
application any;
action allow;
log-end yes;
source-user any;
category any;
hip-profiles any;
disabled yes;
}
}
}
nat {
rules;
}
}
profiles {
hip-objects {
IPhone {
host-info {
criteria {
client-version {
is IPhone;
}
}
}
}
PS3 {
host-info {
criteria {
host-name {
is PS3;
}
}
}
}
}
}
import {
network {
interface [ ethernet1/1 ethernet1/2 vlan.1 vlan.91 ae1 vlan.90 ae1
.1 ae1.90 ae1.91 vlan];
}
}
address {
INside {
ip-netmask 10.10.20.2/30;
}
"Wired network" {
ip-netmask 192.168.1.230/24;
tag 1;
}
"Wireless network" {
ip-netmask 192.168.90.230/24;
tag 90;
}
"Guest network" {
ip-netmask 192.168.91.230/24;
tag 91;
}
}
tag {
90;
1;
91;
}
profile-group {
Internet {
virus default;
spyware strict;
vulnerability strict;
url-filtering default;
wildfire-analysis default;
}
}
}
}
}
}
}

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!