Ok, bear with me, this one is a bit complicated.
We currently run a SWGFL connection, through 2 ISA servers. We host around a dozen services internally. some are dealt with via external ips on the swgfl router, and our external DNS manager vidahosts, some are dealt with, with a single IP and our internal dns to shoot the requests around.
We are moving away from SWGFL and going with City fibre using a Palo Alto PA3020. We have a live connection and the Palo is working, but most users are not working from it as we have not changed the 0.0.0.0/0 route in our l3 core. A few users (i.e. IT) have changed the default gateway to be the Palo. Most things are working fine, but we have an oddity we can't get to the bottom of.
If you are on the SWGFL connection our internally hosted website oak.leaf.bournemouth.sch.uk works. If you are on an external connection - like a mobile - it works. If you are on the Palo/City fibre connection that website doesn't work - comes back with a DNS error. If you look at the Palo monitoring it shows the request as incomplete, which is it, as the IP that is being passed to the Palo is 220.127.116.11 it should be 18.104.22.168
Predictably, Gamma, our Palo supplier are blaming our internal DNS or SWGFL. SWGFL are blaming the Palo and I'm stuck in the middle with a website that we own and can't access!
Anyone got any idea where it's going wrong?
What do you have set as your DNS server when you go out of the Palo?
Does what ever it is also have it's default gateway set to be the Palo and does it also have upstream DNS servers it uses?
DNS servers in the Palo are our internal dns, and our external DNS manager so:
Address Group DNS Servers:
Address Group Vida Hosts
We have a security policy in place called outbound DNS, with the following config:
Source Tab=Source Zone - L3inside: Destination Address - DNS Servers (address group)
User Tab= Source User - any: HIP Profile - any
Destination Tab= Destination Zone- L3 Outside: Destination Address - Vida Hosts (address group)
Application Tab= Applications - DNS
Service URL Category = Defaults (Empty)
Actions Tab = Action setting - Default for our establishment with Antivirus, Vulnerabilities, and Spware. No URL filtering, File Blocking or Data Filtering.
The default gateway of the webserver is our core switch. The core switch has a 0.0.0.0/0 static route to our swgfl router at the moment as we are not ready to transition everyone yet. The webserver is set to use our internal DNS servers.