10-05-2012 08:33 AM
I have worked with many different types of firewalls, but this is my first time with the Palo Alto 5050. Currently I have a basic configuration, a single internet connection and a VR with a default route, properly addressed interface, policy that allows all traffic, zones, etc. Right now I just want to be able to ping out to the internet, the rest of the setup will be fairly straight forward as I have already began working on it. For some reason I can not make a connection to the internet, I can ping all my interface that I have setup internally but not the gateway. Right now I have been provided with an address such as (fake address), 68.231.208.87/29 (Interface address) and a gateway of 68.231.208.82. I have a VR with a default route of 0.0.0.0/0 to 68.231.208.82 the zone is untrusted and my policy is built to allow all traffic in both directions for the time being. What am I missing? I used this document, https://live.paloaltonetworks.com/docs/DOC-1195 which was helpful but still can not make a connection.
10-05-2012 09:07 AM
Can you confirm that you can ping next hop from outside interface?
admin@PA>ping source 68.231.208.87 host 68.231.208.82
Also, Just to confirm, did you set up NAT policy as the following:-
Source Zone:- Trust
Destination Zone:- Untrust
Source Address:- Any
Destination Address:- any
Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29
Regards
Parth
10-05-2012 09:07 AM
Can you confirm that you can ping next hop from outside interface?
admin@PA>ping source 68.231.208.87 host 68.231.208.82
Also, Just to confirm, did you set up NAT policy as the following:-
Source Zone:- Trust
Destination Zone:- Untrust
Source Address:- Any
Destination Address:- any
Source Translation: Dynamic IP and Port, , Untrust Interface, 68.231.208.87/29
Regards
Parth
10-05-2012 09:27 AM
I can ping the next hop from that address. I didn't have my NAT setup, so I did that but still cannot ping out.
It loos like this:
Name: Internet
Tag: None
Source Zone: trust
Destination Zone: untrust
Destination Interface: any
Source Address: any
Destination Address: any
Service: any
Source Translation: dynamic-ip-and-port, ethernet1/1, 68.231.208.87/29
10-05-2012 09:32 AM
Can you ping the next hop from the internal interface?
Is the DNS configured on the firewall , under Device > Setup > Management > Services > DNS settings
Regards
10-05-2012 09:34 AM
Apologies, I am able to ping from an internal interface, just not through the console. I am not sure why though.
10-05-2012 09:43 AM
Do you mean, you are not able to ping the gateway from the management ip-address of the firewall?
Does the following ping fail?
>ping host 68.231.208.82
If that is the case, the management interface network might no be configured to have internet access.
Management interface does not take part in the routing through the firewall unless you configure a Service route configuration for specific services to use one of the datplane interfaces.
Device>Setup>Service>Service Route configuration
Also, make sure DNS is set up on the firewall.
Let me know if this helps.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
