How to Ping Public IP on PA500 Interface from same PA Untrust Interface

Reply
mario11584
L4 Transporter

How to Ping Public IP on PA500 Interface from same PA Untrust Interface

Currently we have a Guest Wireless network setup behind our PA. We'd like to use this network as a test network as well, for certain projects we are working on, to act as if it was outside the network. I have done this in the past with other vendor firewalls but I have not been successful in making this happen on a Palo Alto.

Right now, when I connect to this network I am unable to ping the public IP address of the PA firewall. Management is configured to allow ping on that interface. NAT rules and policy based forwarding look okay too.

Any ideas on how to troubleshoot this or fix the issue would be greatly appreciated. I am new to Palo Alto so go easy on me :smileywink:.

Thanks!


Accepted Solutions
scantwell
L4 Transporter

Hi Dave

I just took a stab at this, and get something to work, so you may want to adjust as it fits your network.

I have a TRUST and UNTRUST Zone (as you may have also).

My TrustZone is my internal network.

My NAT rule was TrustL3 to UntrustL3, (DestIP of PublicFW_IP) (Translation of:  Orignal Zone, Orignal Zone, NAT of Src and Dest = NONE)

So when my PC in my trusted network, pings the untrusted public IP of my FW, it does not NAT.

This worked for me.

Now, I am not sure if your wireless network is in the SAME Untrust Zone as your Public IP.

To match my setup, maybe your Wireless Nework could be DMZZone (or similar)

Then when you ping from your DMZZone to your UntrustL3Zone (with DestIP of your PublicIP) do not NAT.

Play around, but I think this is very close to what you need to do.

View solution in original post


All Replies
scantwell
L4 Transporter

Hi Dave

I just took a stab at this, and get something to work, so you may want to adjust as it fits your network.

I have a TRUST and UNTRUST Zone (as you may have also).

My TrustZone is my internal network.

My NAT rule was TrustL3 to UntrustL3, (DestIP of PublicFW_IP) (Translation of:  Orignal Zone, Orignal Zone, NAT of Src and Dest = NONE)

So when my PC in my trusted network, pings the untrusted public IP of my FW, it does not NAT.

This worked for me.

Now, I am not sure if your wireless network is in the SAME Untrust Zone as your Public IP.

To match my setup, maybe your Wireless Nework could be DMZZone (or similar)

Then when you ping from your DMZZone to your UntrustL3Zone (with DestIP of your PublicIP) do not NAT.

Play around, but I think this is very close to what you need to do.

View solution in original post

mikand
L6 Presenter

To make ping work you will probably need to create a mgmt-profile (only containing ping) which you attach to untrust and then a security rule which will allow the U-turn NAT to ping this interface from the other zone.

scantwell
L4 Transporter

Mike, how about a good description of what UTurn NAT is, how it is used, etc.  Some ppl may not understand.  Just a thought.  :smileysilly:

mario11584
L4 Transporter

I appreciate the help everybody. Thanks Steven your explanation and example, it helped me understand the problem and fix it. I am now able to ping the PA public IP address from inside the untrust Guest Wifi network as well as still get out to the internet. In the end I created two NATs. 1 for outbound traffic and one for traffic to the PA public IP address (Uturn NAT :smileywink:). Just as a reference for others who may wander upon this discussion I've added a screen shot of my configs. The parts I blacked out are the places I added the public IP address of the untrust interface for my internet connection (the public IP I am attempting to ping).

Screen Shot 2012-12-12 at 9.32.14 AM.png

mikand
L6 Presenter

I guess this doc would answer all your NAT related questions :-)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!