topic Re: How to Ping Public IP on PA500 Interface from same PA Untrust Interface in General Topics

How to Ping Public IP on PA500 Interface from same PA Untrust Interface

mario11584 — Tue, 11 Dec 2012 16:15:53 GMT

Currently we have a Guest Wireless network setup behind our PA. We'd like to use this network as a test network as well, for certain projects we are working on, to act as if it was outside the network. I have done this in the past with other vendor firewalls but I have not been successful in making this happen on a Palo Alto.

Right now, when I connect to this network I am unable to ping the public IP address of the PA firewall. Management is configured to allow ping on that interface. NAT rules and policy based forwarding look okay too.

Any ideas on how to troubleshoot this or fix the issue would be greatly appreciated. I am new to Palo Alto so go easy on me .

Thanks!

Re: How to Ping Public IP on PA500 Interface from same PA Untrust Interface

scantwell — Wed, 12 Dec 2012 02:50:57 GMT

Hi Dave

I just took a stab at this, and get something to work, so you may want to adjust as it fits your network.

I have a TRUST and UNTRUST Zone (as you may have also).

My TrustZone is my internal network.

My NAT rule was TrustL3 to UntrustL3, (DestIP of PublicFW_IP) (Translation of: Orignal Zone, Orignal Zone, NAT of Src and Dest = NONE)

So when my PC in my trusted network, pings the untrusted public IP of my FW, it does not NAT.

This worked for me.

Now, I am not sure if your wireless network is in the SAME Untrust Zone as your Public IP.

To match my setup, maybe your Wireless Nework could be DMZZone (or similar)

Then when you ping from your DMZZone to your UntrustL3Zone (with DestIP of your PublicIP) do not NAT.

Play around, but I think this is very close to what you need to do.

Re: How to Ping Public IP on PA500 Interface from same PA Untrust Interface

mikand — Wed, 12 Dec 2012 13:30:15 GMT

To make ping work you will probably need to create a mgmt-profile (only containing ping) which you attach to untrust and then a security rule which will allow the U-turn NAT to ping this interface from the other zone.

Re: How to Ping Public IP on PA500 Interface from same PA Untrust Interface

scantwell — Wed, 12 Dec 2012 13:38:03 GMT

Mike, how about a good description of what UTurn NAT is, how it is used, etc. Some ppl may not understand. Just a thought. :smileysilly:

Re: How to Ping Public IP on PA500 Interface from same PA Untrust Interface

mario11584 — Wed, 12 Dec 2012 16:39:42 GMT

I appreciate the help everybody. Thanks Steven your explanation and example, it helped me understand the problem and fix it. I am now able to ping the PA public IP address from inside the untrust Guest Wifi network as well as still get out to the internet. In the end I created two NATs. 1 for outbound traffic and one for traffic to the PA public IP address (Uturn NAT ). Just as a reference for others who may wander upon this discussion I've added a screen shot of my configs. The parts I blacked out are the places I added the public IP address of the untrust interface for my internet connection (the public IP I am attempting to ping).

Re: How to Ping Public IP on PA500 Interface from same PA Untrust Interface

mikand — Wed, 12 Dec 2012 20:29:23 GMT

I guess this doc would answer all your NAT related questions 🙂