Can't get internet access, routing problem?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't get internet access, routing problem?

Not applicable

I have worked with many different types of firewalls, but this is my first time with the Palo Alto 5050. Currently I have a basic configuration, a single internet connection and a VR with a default route, properly addressed interface, policy that allows all traffic, zones, etc. Right now I just want to be able to ping out to the internet, the rest of the setup will be fairly straight forward as I have already began working on it. For some reason I can not make a connection to the internet, I can ping all my interface that I have setup internally but not the gateway. Right now I have been provided with an address such as (fake address), 68.231.208.87/29 (Interface address) and a gateway of 68.231.208.82. I have a VR with a default route of 0.0.0.0/0 to 68.231.208.82 the zone is untrusted and my policy is built to allow all traffic in both directions for the time being. What am I missing? I used this document, https://live.paloaltonetworks.com/docs/DOC-1195 which was helpful but still can not make a connection.

1 accepted solution

Accepted Solutions

L4 Transporter

Can you confirm that you can ping next hop from outside interface?

admin@PA>ping source  68.231.208.87 host  68.231.208.82

Also, Just to confirm, did you set up NAT policy as the following:-

Source Zone:- Trust

Destination Zone:-  Untrust

Source Address:- Any

Destination Address:- any

Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29

Regards

Parth

View solution in original post

5 REPLIES 5

L4 Transporter

Can you confirm that you can ping next hop from outside interface?

admin@PA>ping source  68.231.208.87 host  68.231.208.82

Also, Just to confirm, did you set up NAT policy as the following:-

Source Zone:- Trust

Destination Zone:-  Untrust

Source Address:- Any

Destination Address:- any

Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29

Regards

Parth

I can ping the next hop from that address. I didn't have my NAT setup, so I did that but still cannot ping out.

It loos like this:

Name: Internet

Tag: None

Source Zone: trust

Destination Zone: untrust

Destination Interface: any

Source Address: any

Destination Address: any

Service: any

Source Translation: dynamic-ip-and-port, ethernet1/1, 68.231.208.87/29

Can you ping the next hop from the internal interface?

Is the DNS configured on the firewall , under Device > Setup > Management > Services > DNS settings

Regards

Apologies, I am able to ping from an internal interface, just not through the console. I am not sure why though.

Do you mean,  you are not able to ping the gateway from the management ip-address of the firewall?

Does the following ping fail?

>ping host 68.231.208.82

If that is the case, the management interface network might no be configured to have internet access.

Management interface does not take part in the routing through the firewall unless you configure a Service route configuration for specific services  to use one of the datplane interfaces.

Device>Setup>Service>Service Route configuration

Also, make sure DNS is set up on the firewall.

Let me know if this helps.

Regards

  • 1 accepted solution
  • 16449 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!