Trouble routing from Guest zone to Internal Server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Trouble routing from Guest zone to Internal Server

L1 Bithead

I'm not sure where to turn from here but my organization is trying to do a configuration we haven't set up before related to our student self-service system.

 

To try and summarize the issue, we have a guest-wireless zone that we need to allow anybody access to another server that is internal on our production network.  Our system architect registered a public IP address to our ISP with a URL so what we're trying to do is allow guest-wifi to this public URL and then let it hit the internal server.

 

This is working externally from the organization.  There is a NAT setup to allow external traffic to reach the service via the public IP/URL, but trying to go from the Guest Zone to the server is giving problem.  I have had Palo support troubleshooting with me and they were not able to come up with a solution during our call, so I'm turning here.

 

What some other Palo documentation and videos had us do was the following NAT and Security Policy:

 

NAT

Source Zone: inside

Dest. Zone: Outside

Source Addr: Server Private IP

Src. Translation: Server Public IP

 

This worked for anything external but trying to recreate one for Guest doesn't seem to do anything

 

Security Policy

Source Zone: Guest

Source Addr: Any

Dest. Zone: inside

Dest. Addr: server Public IP

Ports: 80/443

 

Traffic Monitor for the above security policy shows allowed traffic with a result of Application: Incomplete.

 

I am completely stumped and feel like we're making it a lot harder than it really is, so any guidance would be immensely helpful.

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

Sounds like you need a U-Turn NAT. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC

Also make sure you have security policies allowing the traffic.

 

Regards,

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Is the guest zone hitting the public IP? Presumably your NAT rule is bi-directional then? Or do you have a separate NAT policy for inbound connections?

 

If you look in the details of the session you see allowed, in both the source and destination boxs does the "NAT IP" part appear correct? 

Cyber Elite
Cyber Elite

Hello,

Sounds like you need a U-Turn NAT. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC

Also make sure you have security policies allowing the traffic.

 

Regards,

There is a separate destination NAT for external users. My source IP is from our 10.193.0.0 subnet (Guest) and guest interface ethernet 1/5.93.  The destination is listed as the public IP with a NAT IP displayed as the server's private IP.  So to me, it does appear correct.  We have other configurations for the Guest wifi to reach internal services, but those are handled by the load balancer in the DMZ, so we're not sure where the disconnect is occurring.

I did come across something regarding U-Turn NAT and I did try and use the above link for reference, as well as another online video of someone explaining it and it makes sense to me, but when trying to implement I'm still not able to reach that service. ☹️

After a little more looking into the NAT policy, I recognized the error I had.  U-Turn was the correct solution but it was the particular interface I was using on the source translation.  Correcting that on my end immediately got the service working.  Much thanks to all.

  • 1 accepted solution
  • 2202 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!