Cannot ping interface, IP or defaul gateway from PA 500 to Cisco switch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cannot ping interface, IP or defaul gateway from PA 500 to Cisco switch

L2 Linker

Hi all , 

I set up PA 500 to connect to Cisco layer 3 switch. I cannot ping any website or the IP  from PA 500 except the Ip address assigned from Comcast. I look on the NAT, security and virtual routing but nothing wrong. 

 

1. I plug my comcast router to Ethernet1/1 (untrust) and Ethernet1/2( trust) to Cisco switch. PA picked up the DHCP Client (10.0.0.126)( I can ping this Ip from my laptop when I connect to my internet Wifi) and it shows the IP after I hit Commits and show green light. However, I cannot ping website like yahoo or ip or I cannot ping my wifi at home like Cisco ASA except the IP that Comcast assigned for PA 500.  I search from here and everyone said the issue is NAT/security policy/Virtual router. Since this is not a static IP so there is no need for virtual routing (Correct me if I am wrong)

2. My Cisco switch has 2 VLAN 10 (192.168.10.0/24)and 12 (10.33.12.0/24). I assigned IP 192.168.10.50 for PA 500 and from my laptop or server,  I can ping PA 500 but not the comcast IP. (something is not right here) For Cisco ASA, you connect one port from ASA to another port from your switch and you route all your VLAN to ASA port and from ASA you route to the port on switch. 

I attached the file and my routing. I changed my Management Profile all to ping. I did the screenshot before I change

---------------------------------------------------------------------------------------------------------------------------

admin@PA-500> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf
, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-t
ype-2, E:ecmp, M:multicast


VIRTUAL ROUTER: default (id 1)
==========
destination nexthop
metric flags age interface next-AS
0.0.0.0/0 10.0.0.1
10 A S ethernet1/1
10.0.0.0/24 10.0.0.126
0 A C ethernet1/1
10.0.0.126/32 0.0.0.0
0 A H
192.168.10.0/24 192.168.10.0
0 A C ethernet1/2
192.168.10.0/32 0.0.0.0
0 A H
total routes shown: 5

VIRTUAL ROUTER: VR1 (id 2)
==========
destination nexthop
metric flags age interface next-AS
total routes shown: 0

admin@PA-500>
admin@PA-500>
admin@PA-500>

admin@PA-500> ping source 10.0.0.126 host 8.8.8.8
bind: Cannot assign requested address
admin@PA-500> ping source host 8.8.8.8

Invalid syntax.
admin@PA-500> show rulebase security rule

Invalid syntax.
admin@PA-500> configuration
Unknown command: configuration
admin@PA-500> conf
Unknown command: conf
admin@PA-500> configure
Entering configuration mode
[edit]
admin@PA-500# show rulebase security rules
rules {
bad-application-block {
from trust;
to untrust;
source any;
destination any;
service any;
application peer-to-peer;
action deny;
log-end yes;
source-user any;
category any;
hip-profiles any;
}
internet-acces {
profile-setting {
profiles {
url-filtering default;
virus default;
spyware default;
vulnerability default;
wildfire-analysis default;
}
}
to untrust;
from trust;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
[edit]
admin@PA-500#
[edit]
admin@PA-500# show zone
zone {
trust {
network {
layer3 ethernet1/2;
}
}
untrust {
network {
layer3 ethernet1/1;
}
}
WAN {
network {
layer3;
}
}
LAN {
network {
layer3;
}
}
}
[edit]
admin@PA-500# show interface all

Invalid syntax.
[edit]
admin@PA-500# exit
Exiting configuration mode
admin@PA-500> show interface all

total configured hardware interfaces: 7

name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up d4:f4:be:26:8d:10
ethernet1/2 17 1000/full/up d4:f4:be:26:8d:11
ethernet1/3 18 ukn/ukn/down(autoneg) d4:f4:be:26:8d:12
ethernet1/4 19 ukn/ukn/down(autoneg) d4:f4:be:26:8d:13
vlan 1 [n/a]/[n/a]/up d4:f4:be:26:8d:01
loopback 3 [n/a]/[n/a]/up d4:f4:be:26:8d:03
tunnel 4 [n/a]/[n/a]/up d4:f4:be:26:8d:04

aggregation groups: 0



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
12 REPLIES 12

Cyber Elite
Cyber Elite

I see error "bind: Cannot assign requested address".

Can you share screenshot of popup you get when you click on "Dynamic DHCP Client" link on ethernet1/1?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi, 

I can be able to ping from my interface with source. 

ping 10.0.0.0.125 source 8.8.8.8 or 74.6.143.26 (yahoo.com) but I cannot ping directly the ip or website

For Cisco ASA, this is DNS issue because firewall needs to translate the website to IP and DNS lookup outside and assign DNS will fix the issue and I look DNS proxy and add 8.8.8.8 but it didn't help.

 

--------------------------------------------------------------------------------------------------------------------------

 

admin@PA-500> ping host 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=4 Destination Host Unreachable
From 192.168.10.1 icmp_seq=5 Destination Host Unreachable
From 192.168.10.1 icmp_seq=6 Destination Host Unreachable
^C
--- 10.0.0.1 ping statistics ---
6 packets transmitted, 0 received, +5 errors, 100% packet loss, time 5005ms

admin@PA-500> ping host 10.0.0.234
PING 10.0.0.234 (10.0.0.234) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
^C
--- 10.0.0.234 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2004ms

admin@PA-500> ping host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
From 192.168.10.1 icmp_seq=4 Destination Host Unreachable
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2997ms
admin@PA-500> ping host 10.0.0.125
PING 10.0.0.125 (10.0.0.125) 56(84) bytes of data.
64 bytes from 10.0.0.125: icmp_seq=1 ttl=64 time=0.236 ms
64 bytes from 10.0.0.125: icmp_seq=2 ttl=64 time=0.132 ms
64 bytes from 10.0.0.125: icmp_seq=3 ttl=64 time=0.118 ms
64 bytes from 10.0.0.125: icmp_seq=4 ttl=64 time=0.115 ms
^C
--- 10.0.0.125 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.115/0.150/0.236/0.050 ms
admin@PA-500> ping host 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=4 Destination Host Unreachable
From 192.168.10.1 icmp_seq=5 Destination Host Unreachable
From 192.168.10.1 icmp_seq=6 Destination Host Unreachable
^C
--- 10.0.0.1 ping statistics ---
6 packets transmitted, 0 received, +5 errors, 100% packet loss, time 5005ms

admin@PA-500> ping host 10.0.0.234
PING 10.0.0.234 (10.0.0.234) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
^C
--- 10.0.0.234 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2004ms

admin@PA-500> ping host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
From 192.168.10.1 icmp_seq=4 Destination Host Unreachable
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2997ms

admin@PA-500> ping host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
From 192.168.10.1 icmp_seq=4 Destination Host Unreachable
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3013ms

admin@PA-500> ping source 10.0.0.125 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.0.0.125 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=14.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=12.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=13.0 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=12.9 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=58 time=13.4 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=58 time=17.8 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=58 time=13.6 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=58 time=13.4 ms
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7071ms
rtt min/avg/max/mdev = 12.880/13.988/17.888/1.574 ms
admin@PA-500> ping source 10.0.0.125 host yahoo.com
ping: unknown host yahoo.com
admin@PA-500> ping source 10.0.0.125 host www.yahoo.com
ping: unknown host www.yahoo.com
admin@PA-500> ping source 10.0.0.125 host 74.6.143.26
PING 74.6.143.26 (74.6.143.26) from 10.0.0.125 : 56(84) bytes of data.
64 bytes from 74.6.143.26: icmp_seq=1 ttl=50 time=95.5 ms
64 bytes from 74.6.143.26: icmp_seq=2 ttl=50 time=87.8 ms
64 bytes from 74.6.143.26: icmp_seq=3 ttl=50 time=90.5 ms
64 bytes from 74.6.143.26: icmp_seq=4 ttl=50 time=88.7 ms
64 bytes from 74.6.143.26: icmp_seq=5 ttl=50 time=89.1 ms
^C
--- 74.6.143.26 ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5051ms
rtt min/avg/max/mdev = 87.815/90.357/95.515/2.731 ms
admin@PA-500> show dns-proxy statistics all

admin@PA-500> show dns-proxy statistics all

admin@PA-500> show dns-proxy statistics all

admin@PA-500> show dns-proxy cache all

Name: mgmt-obj
Cache settings:
cache-edns: enabled
entries: 0
Domain IP/Name Type Class TTL Hits
--------------------------------------------------------------------------------
---------------------------------------------


admin@PA-500> ping source 10.0.0.125 host 74.6.143.26
PING 74.6.143.26 (74.6.143.26) from 10.0.0.125 : 56(84) bytes of data.
64 bytes from 74.6.143.26: icmp_seq=1 ttl=50 time=92.9 ms
64 bytes from 74.6.143.26: icmp_seq=2 ttl=50 time=89.6 ms
64 bytes from 74.6.143.26: icmp_seq=3 ttl=50 time=88.7 ms
64 bytes from 74.6.143.26: icmp_seq=4 ttl=50 time=90.0 ms
64 bytes from 74.6.143.26: icmp_seq=5 ttl=50 time=88.6 ms
64 bytes from 74.6.143.26: icmp_seq=6 ttl=50 time=90.7 ms
64 bytes from 74.6.143.26: icmp_seq=7 ttl=50 time=88.4 ms
^C
--- 74.6.143.26 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6056ms
rtt min/avg/max/mdev = 88.456/89.893/92.911/1.473 ms
admin@PA-500> ping source 10.0.0.125 host yahoo.com
ping: unknown host yahoo.com
admin@PA-500> ping source 10.0.0.125 host yahoo.com
ping: unknown host yahoo.com
admin@PA-500> configure
Entering configuration mode
[edit]
admin@PA-500# set network dns-proxy vptest interface ethernet1/1 enabled yes

Server error : vptest -> interface 'ethernet1/1' is not a valid reference
vptest -> interface is invalid
[edit]
admin@PA-500# set network dns-proxy vptest interface ethernet1/2 enabled yes

[edit]
admin@PA-500# set network dns-proxy vptest default primary 10.0.0.1

[edit]
admin@PA-500# set network dns-proxy vptest default primary 75.75.75.75

[edit]
admin@PA-500# commit

 

Commit job 6 is in progress. Use Ctrl+C to return to command prompt
....................................55%...........75%.....98%................100%
Configuration committed successfully

[edit]
admin@PA-500# show dns-proxy statistics all

Invalid syntax.
[edit]
admin@PA-500# exi
Unknown command: exi
[edit]
admin@PA-500# exit
Exiting configuration mode
admin@PA-500> show dns-proxy statistics all

Name: vptest
Interfaces: ethernet1/2
Counters:
Queries received from hosts:0
Responses returned to hosts:0
Queries forwarded to servers:0
Responses received from servers:0
Queries pending:0
TCP:0
UDP:0
--------------------------------------

admin@PA-500> show dns-proxy cache all

Name: mgmt-obj
Cache settings:
cache-edns: enabled
entries: 0
Domain IP/Name Type Class TTL Hits
--------------------------------------------------------------------------------
---------------------------------------------

Name: vptest
Cache settings:
cache-edns: enabled
entries: 0
Domain IP/Name Type Class TTL Hits
--------------------------------------------------------------------------------
---------------------------------------------


admin@PA-500> ping source 10.0.0.125 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.0.0.125 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=19.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=12.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=13.1 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=13.9 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=58 time=11.7 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4040ms
rtt min/avg/max/mdev = 11.768/14.307/19.891/2.881 ms
admin@PA-500> ping source 10.0.0.125 host yahoo.com
ping: unknown host yahoo.com
admin@PA-500>

 

Cyber Elite
Cyber Elite

ping host 8.8.8.8 - ping requests go out from management interface

ping source 10.0.0.125 host 8.8.8.8 - ping requests go out from dataplane interface that has IP 10.0.0.125 assigned.

 

If command ping host 8.8.8.8 does not work it means your firewall management interface can't access internet.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido, 

So what is the issue? NAT/policy/virtual router? From my laptop with my comcast Wifi, I can ping 10.0.0.125  but from PA 500, I cannot ping my laptop IP. 

Cyber Elite
Cyber Elite

what is output of 

show interface management

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

admin@PA-500> show interface all

total configured hardware interfaces: 7

name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up d4:f4:be:26:8d:10
ethernet1/2 17 1000/full/up d4:f4:be:26:8d:11
ethernet1/3 18 ukn/ukn/down(autoneg) d4:f4:be:26:8d:12
ethernet1/4 19 ukn/ukn/down(autoneg) d4:f4:be:26:8d:13
vlan 1 [n/a]/[n/a]/up d4:f4:be:26:8d:01
loopback 3 [n/a]/[n/a]/up d4:f4:be:26:8d:03
tunnel 4 [n/a]/[n/a]/up d4:f4:be:26:8d:04

aggregation groups: 0


total configured logical interfaces: 7

name id vsys zone forwarding tag
address
------------------- ----- ---- ---------------- ------------------------ ------
------------------
ethernet1/1 16 1 untrust vr:default 0
10.0.0.126/24
ethernet1/2 17 1 trust vr:default 0
192.168.10.0/24
ethernet1/3 18 1 N/A 0
N/A
ethernet1/4 19 1 N/A 0
N/A
vlan 1 1 N/A 0
N/A
loopback 3 1 N/A 0
N/A
tunnel 4 1 N/A 0
N/A

 

--------------------------------------------------------

admin@PA-500# show rulebase security rules
rules {
bad-application-block {
from trust;
to untrust;
source any;
destination any;
service any;
application peer-to-peer;
action deny;
log-end yes;
source-user any;
category any;
hip-profiles any;
}
internet-acces {
profile-setting {
profiles {
url-filtering default;
virus default;
spyware default;
vulnerability default;
wildfire-analysis default;
}
}
to untrust;
from trust;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
[edit]
admin@PA-500#
[edit]
admin@PA-500# show zone
zone {
trust {
network {
layer3 ethernet1/2;
}
}
untrust {
network {
layer3 ethernet1/1;
}
}
WAN {
network {
layer3;
}
}
LAN {
network {
layer3;
}
}
}
[edit]

 

 

admin@PA-500> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf
, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-t
ype-2, E:ecmp, M:multicast


VIRTUAL ROUTER: VR1 (id 2)
==========
destination nexthop
metric flags age interface next-AS
total routes shown: 0

admin@PA-500>admin@PA-500> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf
, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-t
ype-2, E:ecmp, M:multicast


VIRTUAL ROUTER: VR1 (id 2)
==========
destination nexthop
metric flags age interface next-AS
total routes shown: 0

admin@PA-500> show system-diskspace

Invalid syntax.
admin@PA-500>
admin@PA-500> show system disk-space

Filesystem Size Used Avail Use% Mounted on
/dev/sda2 3.8G 1.8G 1.9G 49% /
/dev/sda5 7.6G 2.1G 5.1G 29% /opt/pancfg
/dev/sda6 3.8G 2.3G 1.4G 62% /opt/panrepo
tmpfs 993M 116M 878M 12% /dev/shm
/dev/sda8 125G 199M 118G 1% /opt/panlogs
tmpfs 12M 0 12M 0% /opt/pancfg/mgmt/lcaas/ssl/private

Cyber Elite
Cyber Elite

"show interface all" does not show details about management interface.

 

Please paste output of "show interface management"

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you

admin@PA-500> show interface management


-------------------------------------------------------------------------------
Name: Management Interface
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address d4:f4:be:26:8d:00

Ip address: 192.168.10.50
Netmask: 255.255.255.0
Default gateway: 192.168.10.1
Ipv6 address: unknown
Ipv6 link local address: fe80::d6f4:beff:fe26:8d00/64
Ipv6 default gateway:
-------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received 16878
bytes transmitted 258
packets received 185
packets transmitted 3
receive errors 0
transmit errors 0
receive packets dropped 0
transmit packets dropped 0
multicast packets received 0
-------------------------------------------------------------------------------

Cyber Elite
Cyber Elite

Does "ping host 192.168.10.1" work? This would ping from mgmt interface to default gw IP.

Have you configured NAT to change 192.168.10.0/24 IP to 10.0.0.126 and security policy to permit trust to untrust traffic?

What is output of Monitor > Traffic if you run commands "ping host 192.168.10.1" and "ping host 9.9.9.9" and use filter below?

(addr.dst in 192.168.10.1 ) or (addr.dst in 9.9.9.9 )

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes, I can ping 192.168.10.1 because this is my default GW from DHCP server

I assigned the firewall with the static IP 192.168.10.50 255.255.255.0 192.168.10.1 the same VLAN on my switch so from firewall, I can ping all the desktop and servers and the other way. 

Hi , 

I have been OOO and just get back. I can make it work. All about DNS issue like ASA. 

Thank you for your time. 

One thing, 

How do I back up entire config the PA from CLI , not from snapshot? Cisco is all from show run. 

 

Thank you

Cyber Elite
Cyber Elite

If it is standalone firewall and config is not pushed from Panorama then you can get config from cli using commands below.

 

> set cli config-output-format set

> configure

# show

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 6638 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!