Need some guidance on the VM series implementation

Reply
Highlighted
L0 Member

Need some guidance on the VM series implementation

Hi there,

I have inherited the current network and need some help in replacing the firewall for like to like. We have a MPLS network connecting all our offices and an external firewall managed by the ISP. Traffic from all sites go out via the external firewall. I am replacing an old ASA with the PA-VM Series firewall as an internal firewall in one of our offices and experiencing issues with return traffic. Our core switch does routing for some of the vlans (subinterfaces on the core switch) and ASA does routing some of the vlans (subinterfaces for DMZ, guest,contractors vlans).

We have multiple ESX hosts and I am installing 2 PA instances on 2 different hosts in Active Passive set up. I have set up the PA's and added port groups on the ESX hosts and subinterfaces in the PA as explained in the diagram. I have a default route on the core switch to send all traffic to subinterface ( Eth1/2.11) as I want all traffic to out via PA. On the PA, I have a default route to Eth1/3 and also a static route to internal VLANS (to make PA aware of the rest of the VLAN's) This is still in testing mode and I would eventually enable RIP on the PA as the core switch runs RIP.

I also have a NO NAT policy because it's an internal firewall and a security policy to allow outbound traffic.

Issue: I can see traffic going out the untrust interface but firewall is dropping the return traffic. Packet capture shows that the return traffic ends up on the trust interface Eth1/2.11 and hence the packets are being dropped.Network.png

 

Highlighted
L2 Linker

Does your core switch have layer 3 interfaces for VLAN3 and VLAN11? And, were the packet captures for source or destination in VALN11?

Highlighted
L0 Member

Yes the core switch has layer 3 interfaces for VLAN3 and VLAN 11 as shown in the diagram ? The packet captures were done with the source IP of 192.168.20.10 from a VM on VLAN 20 which has gateway as another subinterface (192.168.20.1) on the firewall. Diagram updated. (VLAN 20 does not have a layer3 interface on the core)

The capture shows packet flow from the VM to its gateway 192.168.20.1 (Trust)  out to Untrust and the Gateway (192.168.3.1)

Return traffic from 192.168.3.1 hits the core switch and is going back via the trusted interface 192.168.11.1 (VLAN 11) following the default route which is being dropped by firewall.

 

Network updated.png

 

Highlighted
Cyber Elite

Hello,

Check the traffic logs as you may have missed a policy?

 

Regards,

Highlighted
L2 Linker

Sounds like there is some asymmetric routing in the environment.

Are there any routes (static or dynamic) on the core switch to 192.168.20.0/24 or perhaps a summary route.

A traceroute from 192.168.20.10 and another traceroute from the destination should help identify any asymmetric routing paths in the environment.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!