Static Routes not Working

Reply
L1 Bithead

Static Routes not Working

I have a network with in my network that I am trying to control access with user-id in the palo alto.  Before I can do this I need to get routing working.  The routing works just fine up to the palo alto in my test environment.  Each interface can talk to the next hop on the otherside but traffic isn't routing across the interfaces.  I can not ping source 192.168.111.10 to 192.168.2.1  but I can ping source 192.168.111.10 to 192.168.111.1. This is the same for all interfaces.

 

Here is a copy of my routing table

VIRTUAL ROUTER: TEST (id 15)
==========
destination nexthop
metric flags age interface next-AS
192.168.0.0/16 192.168.2.1
15 A S ethernet1/3.9514
192.168.3.0/24 192.168.3.251
0 A C ethernet1/3.9514
192.168.3.251/32 0.0.0.0
0 A H
192.168.111.0/24 192.168.111.1
10 S ethernet1/4.9509
192.168.111.0/24 192.168.111.10
0 A C ethernet1/4.9509
192.168.111.10/32 0.0.0.0
0 A H
192.168.112.0/24 192.168.112.1
10 S ethernet1/4.9510
192.168.112.0/24 192.168.112.10
0 A C ethernet1/4.9510
192.168.112.10/32 0.0.0.0
0 A H
total routes shown: 9

 

Here is how the layer 3 interface is setup

--------------------------------------------------------------------------------
Name: ethernet1/3.9514, ID: 265
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.3.251/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Interface belong to same subnet as management interface: Yes
Zone: TEST_Untrust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Name: ethernet1/4.9509, ID: 266
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.111.10/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Zone: TEST_Trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Name: ethernet1/4.9510, ID: 267
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.112.10/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Zone: TEST_Trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

 Here are the security policy associated with virtual routes and interfaces

 

"Inbound TEST untrust to trust" {
from TEST_Untrust;
source any;
source-region none;
to TEST_Trust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

"Outbound TEST trust to untrust" {
from TEST_Trust;
source any;
source-region none;
to TEST_Untrust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

Any help or advice would be greatly apreciated.  I have concidered using a virtual wire but now I really just want to figure this out after spending a day on it with no success.

-Michael

L4 Transporter

Re: Static Routes not Working

I believe following static route is mis-configuration:

192.168.0.0/16 192.168.2.1 15 A S ethernet1/3.9514

 

ethernet1/3.9514 has 192.168.3.251/24.

Then nexthop should be in range of 192.168.3.0/24, you can't reach to 192.168.2.1.

L5 Sessionator

Re: Static Routes not Working

Yeah, routes can only point to connected networks.

L1 Bithead

Re: Static Routes not Working

I originaly had the next hop set as 192.168.3.1 but that didn't work.  I will go and change it back.

 

I can ping with a source of 192.168.3.251 to host 192.168.3.1 and it works. But I can not ping 192.168.3.1 from 192.168.111.10.  Is this just not a function of the palo alto to be able to ping from a source to a non connected host?

L5 Sessionator

Re: Static Routes not Working

Well wherever you point your route to it should be a router (in connected network) and it should have a route for 192.168.111.0/24 as well pointing back at your device (through connected network).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!