- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-11-2012 08:15 AM
Currently we have a Guest Wireless network setup behind our PA. We'd like to use this network as a test network as well, for certain projects we are working on, to act as if it was outside the network. I have done this in the past with other vendor firewalls but I have not been successful in making this happen on a Palo Alto.
Right now, when I connect to this network I am unable to ping the public IP address of the PA firewall. Management is configured to allow ping on that interface. NAT rules and policy based forwarding look okay too.
Any ideas on how to troubleshoot this or fix the issue would be greatly appreciated. I am new to Palo Alto so go easy on me .
Thanks!
12-11-2012 06:50 PM
Hi Dave
I just took a stab at this, and get something to work, so you may want to adjust as it fits your network.
I have a TRUST and UNTRUST Zone (as you may have also).
My TrustZone is my internal network.
My NAT rule was TrustL3 to UntrustL3, (DestIP of PublicFW_IP) (Translation of: Orignal Zone, Orignal Zone, NAT of Src and Dest = NONE)
So when my PC in my trusted network, pings the untrusted public IP of my FW, it does not NAT.
This worked for me.
Now, I am not sure if your wireless network is in the SAME Untrust Zone as your Public IP.
To match my setup, maybe your Wireless Nework could be DMZZone (or similar)
Then when you ping from your DMZZone to your UntrustL3Zone (with DestIP of your PublicIP) do not NAT.
Play around, but I think this is very close to what you need to do.
12-11-2012 06:50 PM
Hi Dave
I just took a stab at this, and get something to work, so you may want to adjust as it fits your network.
I have a TRUST and UNTRUST Zone (as you may have also).
My TrustZone is my internal network.
My NAT rule was TrustL3 to UntrustL3, (DestIP of PublicFW_IP) (Translation of: Orignal Zone, Orignal Zone, NAT of Src and Dest = NONE)
So when my PC in my trusted network, pings the untrusted public IP of my FW, it does not NAT.
This worked for me.
Now, I am not sure if your wireless network is in the SAME Untrust Zone as your Public IP.
To match my setup, maybe your Wireless Nework could be DMZZone (or similar)
Then when you ping from your DMZZone to your UntrustL3Zone (with DestIP of your PublicIP) do not NAT.
Play around, but I think this is very close to what you need to do.
12-12-2012 05:30 AM
To make ping work you will probably need to create a mgmt-profile (only containing ping) which you attach to untrust and then a security rule which will allow the U-turn NAT to ping this interface from the other zone.
12-12-2012 05:38 AM
Mike, how about a good description of what UTurn NAT is, how it is used, etc. Some ppl may not understand. Just a thought. :smileysilly:
12-12-2012 08:39 AM
I appreciate the help everybody. Thanks Steven your explanation and example, it helped me understand the problem and fix it. I am now able to ping the PA public IP address from inside the untrust Guest Wifi network as well as still get out to the internet. In the end I created two NATs. 1 for outbound traffic and one for traffic to the PA public IP address (Uturn NAT ). Just as a reference for others who may wander upon this discussion I've added a screen shot of my configs. The parts I blacked out are the places I added the public IP address of the untrust interface for my internet connection (the public IP I am attempting to ping).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!