topic Routing issues on PA410 in General Topics

Routing issues on PA410

sos66sos — Fri, 27 May 2022 14:45:48 GMT

I cannot get traffic to go out my outside interface - it will only go out the Management interface

I have a PA-410 with several Inside interfaces / Outside (connected to an ASA) / Management (connected to my Inside network)
Note: I changed the Outside IP's first 3 octets from the real to 3.3.3. in this post to protect the future public IP for this firewall.

Setup looks like this
PC <-> switch <-> (ethernet1/2.32)PA-410(eithernet1/1) <-> (eithernet0/0)ASA (ethernet0/1)<-> Inside network <-> ISP

If I plug directly into the ASA's 0/0 interface & give my PC an IP in the 3.3.3.104/29 range - I can connect just fine to the internet

Management: 192.168.0.3/24
Inside: 172.31.32.1/24
Internet: 3.3.3.109/29
ASA: 3.3.3.110/29 - The ASA will PAT all traffic so it can cross the Inside network and get to the Internet.
VR - All interfaces added
Includes static route 0.0.0.0/0 -> 3.3.3.110 (See below)

When I connect with my PC to the Palo I get no internet
From the PC I can ping the gateway 172.31.32.1
From the PC I can NOT ping google 8.8.8.8
From the ASA I can ping the Palo outside 3.3.3.109 interface
From the ASA I can ping google (8.8.8.8)
From the Palo CLI I can NOT ping the ASA interface 3.3.3.110
From the Palo CLI I can ping itself 3.3.3.109
From the Palo CLI I can ping google (8.8.8.8) but the ping goes out the management interface not the Outside interface

VIRTUAL ROUTER: DCS-Campus (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 3.3.3.110 10 A S ethernet1/1
3.3.3.104/29 3.3.3.109 0 A C ethernet1/1
3.3.3.109/32 0.0.0.0 0 A H
172.31.8.0/24 172.31.8.1 0 A C ethernet1/2.8
172.31.8.1/32 0.0.0.0 0 A H
172.31.16.0/24 172.31.16.1 0 A C ethernet1/2.16
172.31.16.1/32 0.0.0.0 0 A H
172.31.24.0/24 172.31.24.1 0 A C ethernet1/2.24
172.31.24.1/32 0.0.0.0 0 A H
172.31.32.0/24 172.31.32.1 0 A C ethernet1/2.32
172.31.32.1/32 0.0.0.0 0 A H
172.31.128.0/24 172.31.128.1 0 A C ethernet1/2.128
172.31.128.1/32 0.0.0.0 0 A H
172.31.192.0/24 172.31.192.1 0 A C ethernet1/2.192
172.31.192.1/32 0.0.0.0 0 A H
172.31.248.0/24 172.31.248.1 0 A C ethernet1/2.248
172.31.248.1/32 0.0.0.0 0 A H
total routes shown: 17

Re: Routing issues on PA410

JayGolf — Fri, 27 May 2022 21:28:08 GMT

Hi @sos66sos ,

Can you paste a screenshot of the traffic logs to include the advanced view when clicking on the microscope icon?

Regards,

Jay

Re: Routing issues on PA410

TomYoung — Sat, 28 May 2022 01:28:34 GMT

Hi @sos66sos ,

Thank you for providing so many details. I have a couple questions:

"From the Palo CLI I can ping google (8.8.8.8) but the ping goes out the management interface not the Outside interface" Did you use the "source" parameter? By default, CLI pings are sourced from the management interface. You need to specify the outside interface IP as a source if you want it to go out that interface.
"From the PC I can NOT ping google 8.8.8.8" Does the ASA have a route back to the Palo for the 172.31.32.0/24 network? It sounds like it does not. It also sounds like it does have a route for the 192.168.0.0/24 network.
"From the Palo CLI I can NOT ping the ASA interface 3.3.3.110" Are pings to the inside interface enabled on the ASA?

Thanks,

Tom

Re: Routing issues on PA410

sos66sos — Sat, 28 May 2022 16:32:08 GMT

I have backed out my configuration and started over - I now see traffic leaving the outside interface. I obviously had something configured incorrectly so I'm not sure what the solution was but I appreciate everyone's input.

Re: Routing issues on PA410

sos66sos — Sat, 28 May 2022 16:34:46 GMT

This was the resolution to the ping issue - I did not source from the outside interface.
I still could not ping until I removed everything and started over. I must have had something configured incorrection - I should not build firewalls when I'm half asleep 🙂