Static Routes not Working

trees — Tue, 16 Aug 2016 02:15:25 GMT

I have a network with in my network that I am trying to control access with user-id in the palo alto. Before I can do this I need to get routing working. The routing works just fine up to the palo alto in my test environment. Each interface can talk to the next hop on the otherside but traffic isn't routing across the interfaces. I can not ping source 192.168.111.10 to 192.168.2.1 but I can ping source 192.168.111.10 to 192.168.111.1. This is the same for all interfaces.

Here is a copy of my routing table

VIRTUAL ROUTER: TEST (id 15)
==========
destination nexthop
metric flags age interface next-AS
192.168.0.0/16 192.168.2.1
15 A S ethernet1/3.9514
192.168.3.0/24 192.168.3.251
0 A C ethernet1/3.9514
192.168.3.251/32 0.0.0.0
0 A H
192.168.111.0/24 192.168.111.1
10 S ethernet1/4.9509
192.168.111.0/24 192.168.111.10
0 A C ethernet1/4.9509
192.168.111.10/32 0.0.0.0
0 A H
192.168.112.0/24 192.168.112.1
10 S ethernet1/4.9510
192.168.112.0/24 192.168.112.10
0 A C ethernet1/4.9510
192.168.112.10/32 0.0.0.0
0 A H
total routes shown: 9

Here is how the layer 3 interface is setup

--------------------------------------------------------------------------------
Name: ethernet1/3.9514, ID: 265
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.3.251/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Interface belong to same subnet as management interface: Yes
Zone: TEST_Untrust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Name: ethernet1/4.9509, ID: 266
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.111.10/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Zone: TEST_Trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Name: ethernet1/4.9510, ID: 267
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.112.10/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Zone: TEST_Trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

Here are the security policy associated with virtual routes and interfaces

"Inbound TEST untrust to trust" {
from TEST_Untrust;
source any;
source-region none;
to TEST_Trust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

"Outbound TEST trust to untrust" {
from TEST_Trust;
source any;
source-region none;
to TEST_Untrust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Any help or advice would be greatly apreciated. I have concidered using a virtual wire but now I really just want to figure this out after spending a day on it with no success.

-Michael

Re: Static Routes not Working

emr_1 — Tue, 16 Aug 2016 02:38:20 GMT

I believe following static route is mis-configuration:

192.168.0.0/16 192.168.2.1 15 A S ethernet1/3.9514

ethernet1/3.9514 has 192.168.3.251/24.

Then nexthop should be in range of 192.168.3.0/24, you can't reach to 192.168.2.1.

Re: Static Routes not Working

santonic — Tue, 16 Aug 2016 12:51:20 GMT

Yeah, routes can only point to connected networks.

Re: Static Routes not Working

trees — Tue, 16 Aug 2016 14:45:46 GMT

I originaly had the next hop set as 192.168.3.1 but that didn't work. I will go and change it back.

I can ping with a source of 192.168.3.251 to host 192.168.3.1 and it works. But I can not ping 192.168.3.1 from 192.168.111.10. Is this just not a function of the palo alto to be able to ping from a source to a non connected host?

Re: Static Routes not Working

santonic — Wed, 17 Aug 2016 06:22:28 GMT

Well wherever you point your route to it should be a router (in connected network) and it should have a route for 192.168.111.0/24 as well pointing back at your device (through connected network).

topic Re: Static Routes not Working in General Topics

Static Routes not Working

Re: Static Routes not Working

Re: Static Routes not Working

Re: Static Routes not Working

Re: Static Routes not Working