07-29-2013 07:52 PM
Hi there
We're in the process of cutting over to a new internet connection and I'm trying to get our PA 2050 configured to handle to new IP range but I'm a bit stuck. We've been assigned the 111.69.54.112/28 subnet with 111.69.54.113 being the default gateway.
Currently I've set the external interface to 111.69.54.112/28 and configured a virtual router with a static route for 0.0.0.0/0 to 111.69.54.113. Finally I've set an outbound NAT rule of Dynamic IP and Port, address type is Interface Address, interface is ethernet 1/2 (the external interface) and the IP address is 111.69.54.112/28 but no joy.
I'm basing this config on our existing working config but that one has the default gateway outside the subnet assigned to us. That subnet is 203.167.208.174/30 and the default gateway is 203.167.203.173.
Any suggestions on where I've gone wrong?
07-31-2013 08:11 PM
The portions of your configuration that you have posted appear to be correct. You can check the traffic logs to see if the traffic is being translated. From there, you may want to open a case with support.
07-29-2013 08:09 PM
Do you see the arp entry for the new def gateway.
>show arp all
07-29-2013 08:16 PM
Yes, first entry in the arp table
| interface | ip address | hw address | port | status ttl |
--------------------------------------------------------------------------------
| ethernet1/2 | 111.69.54.113 a8:d0:e5:05:2a:41 ethernet1/2 | c | 1142 |
07-29-2013 08:24 PM
Can you ping .113 from .112 (you might want to enable management profile for testing).
I can reach 111.69.54.113 from my side.
07-29-2013 08:41 PM
No can't ping it but in saying that, can't ping the upstream router from the existing external interface and that still works anyway. The management profile is set to allow ping.
07-29-2013 08:47 PM
Can we try sending out garps on that interface to confirm the correct hw address
https://live.paloaltonetworks.com/docs/DOC-2878
There is no deny all policy right?
07-29-2013 09:08 PM
test arp gratuitous ip 111.69.54.112/28 interface ethernet1/2
1 ARPs were sent
Still no internet access. I do have a deny all rule at the bottom of my security rules. Checking the network monitor from my test IP, I can see my traceroute and internet activity being allowed by my Layer 3 External rule.
07-29-2013 09:23 PM
Any interface errors
show interface ethernet1/2
have you tried changing the cable.
If all of the above does not work please open a support case with us.
07-30-2013 06:16 AM
Make sure that the interfaces you are sending traffic to and from are both part of the same virtual router. If they are using seperate virtual routers you will need to set up routing between them.
07-31-2013 07:56 PM
Actually it appears I misunderstood what our ISP set up for us. I received this email from them.
You have been allocated a new subnet 111.69.54.112/28. We have configured 111.69.54.113 in our core. The rest of the addresses .114 to .126 are available for you to use on your firewall for interface addressing, NAT etc. You will need to change the ip address on the outside of your firewall to one of these available addresses and change your default route to point to next hop 111.69.54.113.
So my question is then, how do I got about setting up my external interface to have the IP addresses from .114 to .126 and what would my outbound NAT rule look like?
Here's some of my current non-functional config
07-31-2013 08:11 PM
The portions of your configuration that you have posted appear to be correct. You can check the traffic logs to see if the traffic is being translated. From there, you may want to open a case with support.
07-31-2013 11:46 PM
Please change the Interface IP for Ethernet 1/2 from 111.69.54.114/32 to 111.69.54.114/28 and choose this IP in your Outbound NAT config.
07-31-2013 11:52 PM
Thanks, turns out I had made a mistake in my test machine's set up. Frustrating when the router config was right all along.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
