Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-25-2016 09:36 PM
Hello folks
I have a strange issue in my lab , here is the scenario :
VM-100 on ESXi
PAN OS 7.0.5
Inside interface connected to internal zone (10.0.1.0/24 network)
outside interface connected to my home firewall ( 192.168.1.0/24 network)
Interfaces have IPs on the same range as their zones : 10.0.1.10 inside interface , 192.168.1.10 outside.
Modem IP is 192.168.1.1
- Lab workstations can ping inside interface successfully
- Firewall DNS is working , able to download URL filtering database , able to resolve DNS via outside interface
- Created a universal policy to allow any->any for now .
- both interfaces are using the same virtual router that has a static route to 0.0.0.0/0 for next hop 192.168.1.1(modem)
- Firewall is fully licensed .
Issue : Inside workstations unable to browse internet .
- Tried connecting both interfaces to default router - same
- Traffic log shows that DNS request is coming from internal host and it is allowed but it ends with "aged out" error . seems like there is no response . capture shows that request hits the inside interface but not going further .
- these are directly connected to interface so routing doesn't seem tobe the issue here .
any help would be appreciated.
Thanks
02-26-2016 03:34 AM
Do you have a NAT rule from the inside zone to NAT on the outside interface?
Without one you 10 address would probably not get NAT for the trip tothe DNS server on the internet. Or internet access for the sites that resolve.
02-26-2016 02:26 PM - edited 02-26-2016 02:27 PM
Hi,
In order for hosts from 10.0.1.0/24 to access internet through their gateway 10.0.1.10 (trust zone IP) and further through 192.168.1.10 (untrust zone IP) you need to create NAT rule that will have tabs:
general: whatever the name of your nAT rule is 🙂
original packet: translate from TRUST zone, destination zone UNTRUST, interface any, service any, source address - your scope (10.0.1.0/24), destination address any;
translated packet: translation type: dynamic IP and port, address type: interface address, interface (ethernet - whatever is 192.168.1.10), ip address 192.168.1.10 (select from dropdown), leave "destination address translation" unchecked.
Voila, hosts from 10.0.1.0/24 should be able to access internet through TRUST and exit on UNTRUST, reverse translation for sessions is implied.
Try it and let us know if it helps.
Best regards,
Luciano
02-26-2016 01:15 AM
Hi,
Do you have a DNS proxy configured?
If you do then check this article, it shows that if the firewall recieves a suspicious query then the DNS session from the the firewall to the DNS server will be set into a discard state.
hope this helps,
Ben
02-26-2016 03:34 AM
Do you have a NAT rule from the inside zone to NAT on the outside interface?
Without one you 10 address would probably not get NAT for the trip tothe DNS server on the internet. Or internet access for the sites that resolve.
02-26-2016 06:41 AM
Hello,
Also check your routing from the 'outside' of the PAN to the modem and internet and vice versa.
Regards,
02-26-2016 09:32 AM - edited 02-26-2016 09:33 AM
Hi,
as pulukas pointed out - sounds like NAT issue in the virtual firewall, if allow-all is only policy you have. Simple -if you can reach public internet from firewall (download URL updateS) but can't reach anything from behind firewall, and only security policy is allow-all - than it's NAT.
On a further note - I have a fairly complex setup of ESXi with plenty of vlans and stuff running through my PA-200 at home; I am not sure I understood your layout completely - can you elaborate a bit? I am lost at what firewall connects to:
VM guests (10.0.1.x/24) -----> trust of VM_FW(10.0.1.10) -- Untrust of VM_FW(192.168.1.10) -------> Modem or firewall at 192.168.1.0?
Do you have trunk on ESXi or you are assigning interfaces to firewall, are your hosts behind firewall virtual machines (vm guests) or they are real devices in your home network? In any case, you are doing nat twice for those hosts behind VM_FW - do you have physical firewall box as well, or you have some of those modems with integrated security? I passed public IP onto my PA-200 and trunked ESXi server onto one port of FW, and am working with sub-interfaces for VMs inside of ESXi... prolly not helping you at all but anyways...
Best regards,
Luciano
02-26-2016 01:10 PM
Do I need a NAT really ? like from 10.0.1.0/24 network to 192.168.1.0/24 network ? I tried to create a NAT but I got rejected . it was saying there is an overlap of addresses . I did a source NAT .
02-26-2016 01:11 PM
no there is no DNS proxy . but DNS is on external network .
02-26-2016 01:11 PM
external interfface has Internet access , I confimred it by pinging outside machines and resovle public DNSs.
02-26-2016 02:26 PM - edited 02-26-2016 02:27 PM
Hi,
In order for hosts from 10.0.1.0/24 to access internet through their gateway 10.0.1.10 (trust zone IP) and further through 192.168.1.10 (untrust zone IP) you need to create NAT rule that will have tabs:
general: whatever the name of your nAT rule is 🙂
original packet: translate from TRUST zone, destination zone UNTRUST, interface any, service any, source address - your scope (10.0.1.0/24), destination address any;
translated packet: translation type: dynamic IP and port, address type: interface address, interface (ethernet - whatever is 192.168.1.10), ip address 192.168.1.10 (select from dropdown), leave "destination address translation" unchecked.
Voila, hosts from 10.0.1.0/24 should be able to access internet through TRUST and exit on UNTRUST, reverse translation for sessions is implied.
Try it and let us know if it helps.
Best regards,
Luciano
02-27-2016 11:18 AM
It's working ! I had a NAT in-place but it was wrong . I fixed it and it worked.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
