Can't get internet access, routing problem?

Reply
Highlighted
Not applicable

Can't get internet access, routing problem?

I have worked with many different types of firewalls, but this is my first time with the Palo Alto 5050. Currently I have a basic configuration, a single internet connection and a VR with a default route, properly addressed interface, policy that allows all traffic, zones, etc. Right now I just want to be able to ping out to the internet, the rest of the setup will be fairly straight forward as I have already began working on it. For some reason I can not make a connection to the internet, I can ping all my interface that I have setup internally but not the gateway. Right now I have been provided with an address such as (fake address), 68.231.208.87/29 (Interface address) and a gateway of 68.231.208.82. I have a VR with a default route of 0.0.0.0/0 to 68.231.208.82 the zone is untrusted and my policy is built to allow all traffic in both directions for the time being. What am I missing? I used this document, https://live.paloaltonetworks.com/docs/DOC-1195 which was helpful but still can not make a connection.


Accepted Solutions
Highlighted
L4 Transporter

Re: Can't get internet access, routing problem?

Can you confirm that you can ping next hop from outside interface?

admin@PA>ping source  68.231.208.87 host  68.231.208.82

Also, Just to confirm, did you set up NAT policy as the following:-

Source Zone:- Trust

Destination Zone:-  Untrust

Source Address:- Any

Destination Address:- any

Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29

Regards

Parth

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Can't get internet access, routing problem?

Can you confirm that you can ping next hop from outside interface?

admin@PA>ping source  68.231.208.87 host  68.231.208.82

Also, Just to confirm, did you set up NAT policy as the following:-

Source Zone:- Trust

Destination Zone:-  Untrust

Source Address:- Any

Destination Address:- any

Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29

Regards

Parth

View solution in original post

Highlighted
Not applicable

Re: Can't get internet access, routing problem?

I can ping the next hop from that address. I didn't have my NAT setup, so I did that but still cannot ping out.

It loos like this:

Name: Internet

Tag: None

Source Zone: trust

Destination Zone: untrust

Destination Interface: any

Source Address: any

Destination Address: any

Service: any

Source Translation: dynamic-ip-and-port, ethernet1/1, 68.231.208.87/29

Highlighted
L4 Transporter

Re: Can't get internet access, routing problem?

Can you ping the next hop from the internal interface?

Is the DNS configured on the firewall , under Device > Setup > Management > Services > DNS settings

Regards

Highlighted
Not applicable

Re: Can't get internet access, routing problem?

Apologies, I am able to ping from an internal interface, just not through the console. I am not sure why though.

L4 Transporter

Re: Can't get internet access, routing problem?

Do you mean,  you are not able to ping the gateway from the management ip-address of the firewall?

Does the following ping fail?

>ping host 68.231.208.82

If that is the case, the management interface network might no be configured to have internet access.

Management interface does not take part in the routing through the firewall unless you configure a Service route configuration for specific services  to use one of the datplane interfaces.

Device>Setup>Service>Service Route configuration

Also, make sure DNS is set up on the firewall.

Let me know if this helps.

Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!