Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

No DNS, cannot ping anything above gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

No DNS, cannot ping anything above gateway

L1 Bithead

I'm trying to set up a PA-820 from scratch, but would like to update and set up rules before placing it on top of our network. Currently it is set up as a DHCP client, parallel to our office router, connected upstream to a Charter AP and modem (for some reason, this is the only way they'll give us a static IP and a high speed connection to the internet). The AP is the gateway with an IP of 192.168.1.1, which I can ping from the DHCP assigned IP of 192.168.1.53 from the management interface, which I changed to 192.168.0.2. However, I can't ping anything else above that. Attached are the interfaces and security rules. Can anyone take a look at this and help?

 

show interface all

 

total configured hardware interfaces: 5

 

name                    id    speed/duplex/state            mac address
--------------------------------------------------------------------------------
ethernet1/1             16    1000/full/up                  60:15:2b:67:14:10
ethernet1/2             17    ukn/ukn/down(autoneg)         60:15:2b:67:14:11
ethernet1/3             18    ukn/ukn/down(autoneg)         60:15:2b:67:14:12
dedicated-ha1           5     ukn/ukn/ukn(autoneg)          60:15:2b:67:14:05
dedicated-ha2           6     ukn/ukn/down(autoneg)         60:15:2b:67:14:06

 

aggregation groups: 0

 

 

total configured logical interfaces: 5

 

name                id    vsys zone             forwarding               tag                  address
------------------- ----- ---- ---------------- ------------------------ ------               ------------------
ethernet1/1         16    1    Untrusted        vr:default               0                    192.168.1.53/24
ethernet1/2         17    1    Trusted-Office   vr:default               0                    10.0.0.1/24
ethernet1/3         18    1    Guest Network to vr:default               0                    10.0.2.1/24
dedicated-ha1       5     1                     ha                       0                    N/A
dedicated-ha2       6     1                     ha                       0                    N/A

 

admin@OfficeFW> show rulebase security rules

 

Invalid syntax.
admin@OfficeFW> configure
Entering configuration mode
[edit]
admin@OfficeFW# show rulebase security rules
rules {
  "Allow out" {
    profile-setting {
      group default;
    }
    to Untrusted;
    from Trusted-Office;
    source any;
    destination any;
    source-user any;
    category any;
    application any;
    service any;
    source-hip any;
    destination-hip any;
    action allow;
    log-setting default;
    rule-type interzone;
  }
}
[edit]
admin@OfficeFW# show routing route

 

Invalid syntax.
[edit]
admin@OfficeFW# exit
Exiting configuration mode
admin@OfficeFW> show routing route

 

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast

 

 

VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
0.0.0.0/0                                   0.0.0.0                                 10     A S              ethernet1/1
192.168.1.0/24                              192.168.1.53                            0      A C              ethernet1/1
192.168.1.53/32                             0.0.0.0                                 0      A H
total routes shown: 3

 

admin@OfficeFW> admin@OfficeFW> show interface all
Unknown command: admin@OfficeFW>
------------------------------------------------
ethernet1/1             16    1000/full/uadmin@OfficeFW> p                  60:15:2b:67:14:10
ethernet1/2             17    ukn/ukn/down(autoneg)         60:15:2b:67:14:11
ethernet1/3             18    ukn/ukn/down(autoneg)
   5     ukn/ukn/ukn(autoneg)          60:15:2b:67:14:05
dedicated-ha2           6     ukadmin@OfficeFW> n/ukn/down(autoneg)         60:15:2b:67:14:06

 

aggregation groups: 0

 

 

total configured logical interfaces: 5

 

admin@OfficeFW> total configured hardware interfaces: 5
Unknown command: total
           192.168.1.53/24
ethernet1/2         17    1    Trusted-Office   vr:default               0  admin@OfficeFW>                   10.0.0.1/24
ethernet1/3         18    1    Guest Network to vr:default               0                    10.0.2.1/24
dedicated-ha1       5     1
             ha                       0                    N/A
dedicated-ha2       6     1                    admin@OfficeFW>  ha                       0                    N/A

7 REPLIES 7

L6 Presenter

Hello @Altais 

Please share connectivity diagram if possible. This will give more clarity.

Also, one query - why did you changed IP to 192.168.0.x ? Because, I understand that you have AP modem network as 192.168.1.x.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L1 Bithead

Pretty simple network, see the attached drawing.

You'll probably need to NAT to your internal IP space to the external IP assigned by the the wifi modem using an interface NAT.  The cable modem most likely does not know how to return/route the 10.x.x.x or 192.168.0.0/24 network traffic back to the firewall.

If you can get into the cable modem, you can add static routes on the modem to your subnets behind the firewall directly to avoid the NAT.

Cyber Elite
Cyber Elite

Hello,

Are you sourcing your ping from the management interface? What does the logs show? Most likely causes:

1. Security policy incorrect

2. Nat policy incorrect

3. Missing routes in virtual router.

Setting all policies to log at session end should allow you to see all the traffic the data plane sees, allowed and denied.

Regards,

Cyber Elite
Cyber Elite

@Altais,

Just going to back things off a bit and ask a rather simple question that I'm not seeing, but how are you expecting your MGMT connection to be able to access anything but your laptop when it's directly plugged in? There's nothing in your diagram showing where your MGMT connection is actually plugged into anything, outside of the fact that I'm assuming you have it plugged into your laptop.

Your cable modem isn't going to know how to route traffic to a random 192.168.0.1 client if it doesn't have a route to it, but you're also kind of overcomplicating things with this setup. I personally wouldn't recommend giving your MGMT connection a 182.168.1.0/24 address if you're treating this as your untrust zone. You could pop it into your trust zone and just have it restricted via permitted-ip if you want, or you could just put it in it's own dedicated MGMT zone if you wanted to go that route as well. Nothing that you've included in your post (unless I glanced over it) shows that your cable modem or your PA-820 would have any idea how to route that 192.168.0.1 address however. 
What's likely happening because of this is that your PA-850 is following your default route to the cable modem, and your cable modem not having a route sends that out it's default gateway off to Charter. Therefore nothing you're doing from a policy standpoint really matters here, your PA-850 isn't routing the traffic properly.

 

 

L1 Bithead

Thanks guys! I think BPry is probably the closest one to the solution, since I can see packets coming in and packets going out, but they're all aging out. What I'm still unclear on, is if software/definition updates can only come in through the management interface, or any interface linked to an appropriate management profile? 

Cyber Elite
Cyber Elite

@Altais,

Take a look at service routes HERE if you want to utilize a dataplane interface instead of the management interface. You don't need to utilize the management interface if you don't want to. You can utilize interface management profiles and service routes if you just want to disconnect your MGMT port completely.
Just keep in mind that if you're going to utilize an interface-management-profile and enable management from a dataplane interface, you want to ensure it's properly secured either by security policy or better through permitted-ip assigned to the profile. 

  • 3641 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!