Issue with my Palo Alto Lab

Reply
Highlighted
L2 Linker

Issue with my Palo Alto Lab

Hello folks

I have a strange issue in my lab , here is the scenario :

VM-100 on ESXi
PAN OS 7.0.5
Inside interface connected to internal zone (10.0.1.0/24 network)
outside interface connected to my home firewall ( 192.168.1.0/24 network)

Interfaces have IPs on the same range as their zones : 10.0.1.10 inside interface , 192.168.1.10 outside.
Modem IP is 192.168.1.1

- Lab workstations can ping inside interface successfully
- Firewall DNS is working , able to download URL filtering database , able to resolve DNS via outside interface
- Created a universal policy to allow any->any for now .
- both interfaces are using the same virtual router that has a static route to 0.0.0.0/0 for next hop 192.168.1.1(modem)
- Firewall is fully licensed .

Issue : Inside workstations unable to browse internet .

- Tried connecting both interfaces to default router - same

- Traffic log shows that DNS request is coming from internal host and it is allowed but it ends with "aged out" error . seems like there is no response . capture shows that request hits the inside interface but not going further .

- these are directly connected to interface so routing doesn't seem tobe the issue here .

any help would be appreciated.

Thanks

 

 

 

 

 

 

 


Accepted Solutions
Highlighted
L7 Applicator

Do you have a NAT rule from the inside zone to NAT on the outside interface?  

 

Without one you 10 address would probably not get NAT for the trip tothe DNS server on the internet.  Or internet access for the sites that resolve.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Highlighted
L5 Sessionator

Hi,

 

In order for hosts from 10.0.1.0/24 to access internet through their gateway 10.0.1.10 (trust zone IP) and further through 192.168.1.10 (untrust zone IP) you need to create NAT rule that will have tabs:

general: whatever the name of your nAT rule is :)

original packet: translate from TRUST zone, destination zone UNTRUST, interface any, service any, source address - your scope (10.0.1.0/24), destination address any;

translated packet: translation type: dynamic IP and port, address type: interface address, interface (ethernet - whatever is 192.168.1.10), ip address 192.168.1.10 (select from dropdown), leave "destination address translation" unchecked.

 

Voila, hosts from 10.0.1.0/24 should be able to access internet through TRUST and exit on UNTRUST, reverse translation for sessions is implied.

 

Try it and let us know if it helps.


Best regards,

 

Luciano

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi,

 

Do you have a DNS proxy configured?

 

If you do then check this article, it shows that if the firewall recieves a suspicious query then the DNS session from the the firewall to the DNS server will be set into a discard state.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Blocking-Suspicious-DNS-Queries-with-DNS-Pr...

 

hope this helps,

Ben

Highlighted
L7 Applicator

Do you have a NAT rule from the inside zone to NAT on the outside interface?  

 

Without one you 10 address would probably not get NAT for the trip tothe DNS server on the internet.  Or internet access for the sites that resolve.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Highlighted
Cyber Elite

Hello,

Also check your routing from the 'outside' of the PAN to the modem and internet and vice versa.

 

Regards,

Highlighted
L5 Sessionator

Hi,

 

as pulukas pointed out - sounds like NAT issue in the virtual firewall, if allow-all is only policy you have. Simple -if you can reach public internet from firewall (download URL updateS) but can't reach anything from behind firewall, and only security policy is allow-all - than it's NAT.

 

On a further note - I have a fairly complex setup of ESXi with plenty of vlans and stuff running through my PA-200 at home; I am not sure I understood your layout completely - can you elaborate a bit? I am lost at what firewall connects to:

VM guests (10.0.1.x/24) -----> trust of VM_FW(10.0.1.10) -- Untrust of VM_FW(192.168.1.10) -------> Modem or firewall at 192.168.1.0?

 

Do you have trunk on ESXi or you are assigning interfaces to firewall, are your hosts behind firewall virtual machines (vm guests) or they are real devices in your home network? In any case, you are doing nat twice for those hosts behind VM_FW - do you have physical firewall box as well, or you have some of those modems with integrated security? I passed public IP onto my PA-200 and trunked ESXi server onto one port of FW, and am working with sub-interfaces for VMs inside of ESXi... prolly not helping you at all but anyways...

 

Best regards,

 

Luciano

Highlighted
L2 Linker

Do I need a NAT really ? like from 10.0.1.0/24 network to 192.168.1.0/24 network ? I tried to create a NAT but I got rejected . it was saying there is an overlap of addresses . I did a source NAT .

Highlighted
L2 Linker

no there is no DNS proxy . but DNS is on external network .

Highlighted
L2 Linker

external interfface has Internet access , I confimred it by pinging outside machines and resovle public DNSs.

Highlighted
L5 Sessionator

Hi,

 

In order for hosts from 10.0.1.0/24 to access internet through their gateway 10.0.1.10 (trust zone IP) and further through 192.168.1.10 (untrust zone IP) you need to create NAT rule that will have tabs:

general: whatever the name of your nAT rule is :)

original packet: translate from TRUST zone, destination zone UNTRUST, interface any, service any, source address - your scope (10.0.1.0/24), destination address any;

translated packet: translation type: dynamic IP and port, address type: interface address, interface (ethernet - whatever is 192.168.1.10), ip address 192.168.1.10 (select from dropdown), leave "destination address translation" unchecked.

 

Voila, hosts from 10.0.1.0/24 should be able to access internet through TRUST and exit on UNTRUST, reverse translation for sessions is implied.

 

Try it and let us know if it helps.


Best regards,

 

Luciano

View solution in original post

Highlighted
L2 Linker

It's working ! I had a NAT in-place but it was wrong . I fixed it and it worked. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!