09-20-2013 09:40 AM
Hi,
I'm having an issue setting up my DMZ test environment. My set up is basic and is as follows (IP information is an example) --
I've set up a NAT policy as seen below --
I've set up the security policies as seen below --
Internally, I can ping 1.1.1.171 and access my web server via that IP, however when I try and attempt to access the IP from the internet (https), I'm unable to hit the server and I do not see traffic hitting the firewall. I've attempted to create a loopback to give the IP an endpoint as seen in a tutorial within this site, however that did not work either.
Does it appear that I am missing something or is my configuration incorrect? I'm sure I'm a step or two away from getting this to work, however have been trying almost everything I can think of with little to no avail. I would greatly appreciate any advice or help anyone can provide.
Thanks,
John
09-20-2013 09:45 AM
Hello John,
In your D-NAT rule:
Source Zone : TW Internet
Destination Zone should also be : TW Internet
Destination Address:1.1.1.71
Destination Translation should be : 10.10.100.10
Your security rule:
Source Zone : Tw Internet
Destination Zone : DMA zone where the server actually lies
Destination IP : 1.1.1.171
Let us know if it worked for you.
Regards,
Kunal Adak
09-20-2013 09:47 AM
You can also refer to page -16 of the following document. It explains you with an example of how DMZ servers are access from the outside.
https://live.paloaltonetworks.com/docs/DOC-1517
Regards,
Kunal Adak
09-20-2013 10:33 AM
Kunal,
Thanks for the prompt reply. In the midst of providing examples of my configuration I left out the 10.10.100.10 for the destination translation, but for the actual policy, it is there. In regards to the security policy, I tried adding the destination IP, although keeping the tab to "any" should of worked as well. Neither option worked. I appreciate the document you provided, I've referenced this particular document a few times on trying to troubleshoot this issue.
To add to my configuration information above, I have a route for 10.10.100.0/24 with the interface set to e1/3 and next hope value 10.10.100.5 (Gateway on the PA). I do not have a route for the public IP subnet however. Is this needed? Again, I'm not seeing any internet traffic hit the firewall for destination address 1.1.1.171.
Thanks,
John
09-20-2013 12:48 PM
Hello John:
The only route you require is on upstream router. The upstream router should know that if a packet comes in destined for 1.1.1.171, it should forward it to PAN's 1/1, since 1.1.1.171 comes under 1.1.1.160/28's umbrella.
I would look for any sessions/traffic logs on the PAN sourcing from that outside client hitting 1.1.1.171.
For example:
Server (10.10.100.10) ---- PAN ---- ISP----- PC (1.1.1.1)
> show session all filter source 1.1.1.1
If you don't see any sessions from 1.1.1.1, its very likely that there could be some routing issues on the ISP/upstream side.
Also, you can verify through your traffic logs. You can use the following filter : ( addr.src in 1.1.1.1 )
One thing I noticed now in your first comment is that you said - "Internally, I can ping 1.1.1.171"..... Does that mean even the local LAN subnets are accessing that web-server using public ip address? If that is the case, we are dealing with a U-Turn NAT situation here!
Regards,
Kunal Adak
09-21-2013 11:39 AM
you try to reach your webserver from inside ?
Try to use u-turn nat then
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
