https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15001#M10995 <HTML><HEAD></HEAD><BODY><P>Can you confirm that you can ping next hop from outside interface?</P><P>admin@PA&gt;ping source&nbsp; 68.231.208.87 host&nbsp; 68.231.208.82</P><P></P><P>Also, Just to confirm, did you set up NAT policy as the following:-</P><P>Source Zone:- Trust</P><P>Destination Zone:-&nbsp; Untrust</P><P>Source Address:- Any</P><P>Destination Address:- any</P><P>Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29</P><P></P><P></P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Fri, 05 Oct 2012 16:07:44 GMT ppatel 2012-10-05T16:07:44Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15000#M10994 <HTML><HEAD></HEAD><BODY><P>I have worked with many different types of firewalls, but this is my first time with the Palo Alto 5050. Currently I have a basic configuration, a single internet connection and a VR with a default route, properly addressed interface, policy that allows all traffic, zones, etc. Right now I just want to be able to ping out to the internet, the rest of the setup will be fairly straight forward as I have already began working on it. For some reason I can not make a connection to the internet, I can ping all my interface that I have setup internally but not the gateway. Right now I have been provided with an address such as (fake address), 68.231.208.87/29 (Interface address) and a gateway of 68.231.208.82. I have a VR with a default route of 0.0.0.0/0 to 68.231.208.82 the zone is untrusted and my policy is built to allow all traffic in both directions for the time being. What am I missing? I used this document, <SPAN style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif'; color: black;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1195">https://live.paloaltonetworks.com/docs/DOC-1195</A></SPAN> which was helpful but still can not make a connection.</P></BODY></HTML> Fri, 05 Oct 2012 15:33:24 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15000#M10994 mgross 2012-10-05T15:33:24Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15001#M10995 <HTML><HEAD></HEAD><BODY><P>Can you confirm that you can ping next hop from outside interface?</P><P>admin@PA&gt;ping source&nbsp; 68.231.208.87 host&nbsp; 68.231.208.82</P><P></P><P>Also, Just to confirm, did you set up NAT policy as the following:-</P><P>Source Zone:- Trust</P><P>Destination Zone:-&nbsp; Untrust</P><P>Source Address:- Any</P><P>Destination Address:- any</P><P>Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29</P><P></P><P></P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Fri, 05 Oct 2012 16:07:44 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15001#M10995 ppatel 2012-10-05T16:07:44Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15002#M10996 <HTML><HEAD></HEAD><BODY><P>I can ping the next hop from that address. I didn't have my NAT setup, so I did that but still cannot ping out. </P><P></P><P>It loos like this:</P><P></P><P>Name: Internet</P><P>Tag: None</P><P>Source Zone: trust</P><P>Destination Zone: untrust</P><P>Destination Interface: any</P><P>Source Address: any</P><P>Destination Address: any</P><P>Service: any</P><P>Source Translation: dynamic-ip-and-port, ethernet1/1, 68.231.208.87/29</P></BODY></HTML> Fri, 05 Oct 2012 16:27:21 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15002#M10996 mgross 2012-10-05T16:27:21Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15003#M10997 <HTML><HEAD></HEAD><BODY><P>Can you ping the next hop from the internal interface?</P><P>Is the DNS configured on the firewall , under Device &gt; Setup &gt; Management &gt; Services &gt; DNS settings</P><P></P><P>Regards</P></BODY></HTML> Fri, 05 Oct 2012 16:32:56 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15003#M10997 ppatel 2012-10-05T16:32:56Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15004#M10998 <HTML><HEAD></HEAD><BODY><P>Apologies, I am able to ping from an internal interface, just not through the console. I am not sure why though.</P></BODY></HTML> Fri, 05 Oct 2012 16:34:33 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15004#M10998 mgross 2012-10-05T16:34:33Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15005#M10999 <HTML><HEAD></HEAD><BODY><P>Do you mean,&nbsp; you are not able to ping the gateway from the management ip-address of the firewall?</P><P>Does the following ping fail?</P><P>&gt;ping host <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">68.231.208.8</SPAN>2</P><P></P><P>If that is the case, the management interface network might no be configured to have internet access.</P><P>Management interface does not take part in the routing through the firewall unless you configure a Service route configuration for specific services&nbsp; to use one of the datplane interfaces.</P><P>Device&gt;Setup&gt;Service&gt;Service Route configuration</P><P></P><P>Also, make sure DNS is set up on the firewall.</P><P>Let me know if this helps.</P><P></P><P></P><P>Regards</P></BODY></HTML> Fri, 05 Oct 2012 16:43:39 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-internet-access-routing-problem/m-p/15005#M10999 ppatel 2012-10-05T16:43:39Z