This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

How to reach the Palo Alto management interface form my internal network

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to reach the Palo Alto management interface form my internal network

Go to solution
decostersteven
L2 Linker

‎03-18-2020 10:25 AM

Hi,

I'm fairly new to Palo Alto firewalls and just set up a home lab, but I have a problem accessing the management interface from my local network.

 

I have 4 network devices in my network:

 

- Modem/Router
- Palo Alto PA-500 (PAN-OS 7.1)
- Cisco 2960 switch
- Cisco 1602 AP

 

I'll try to explain how everything is connected, but I also added a picture of the topology which probably makes more sense then my explanation.

 

Topology.jpg

 

Router --> Palo Alto --> Switch --> AP

 

Router --> Palo Alto: 192.168.0.0/24 subnet. Router is .1 and Palo Alto is .2

 

Palo Alto --> switch: One physical interface on the Palo Alto that has one subinterface (10.0.30.1/24) which is configured as a DHCP server for wireless clients in VLAN 30). The switch side of this connection is configured as a trunk with all VLANS allowed.
The Palo Alto also has a (physical, dedicatec) management interface which has the 192.168.99.1/24 address.
I also connected a cable from the Palo Alto's dedicated management interface to the switch. The switch port is an access port in VLAN99 (management).

 

Switch --> AP: The switchport is configured as a trunk with all VLANS allowed. The switch has an SVI named VLAN99 with IP address 192.168.99.2

 

The AP has 3 VLANS: 1 (unused), 30 (for wireless clients), 99 (Management VLAN and also native VLAN).
The BVI interface on the AP is configured with IP address 192.168.99.3

 

As you probably already guessed, I'd like to use VLAN99 (subnet 192.168.99.0/24) as my management VLAN throughout my network.

Most of the things in my network are working fine. I can connect to the SSID associated with VLAN30, receive an IP address via DHCP and connect to the internet using my "wireless to outside" policy.

 

However, I'm struggling with setting up the dedicated management interface correctly.
Here's what I want to do: when I connect with my laptop to the SSID associated with VLAN30, I also want to be able to reach the management interface of the Palo Alto. So, packets need to be routed from the subinterface of VLAN30 to the management interface.
This is not what's happening now. In the logs I see that packets from 10.0.30.5 (laptop) to 192.168.99.1 (mgmt interface of palo alto) are hitting the policy "wireless to outside". The mgmt interface address is seen as an outside address.

 

Can anyone tell me how I can fix this. Maybe I configured my network all wrong, but can someone the please tell me what the best setup would be?

 

Thanks in advance for your ideas/help.

 

Steven

0 Likes Likes
23 REPLIES 23

Go to solution
decostersteven
L2 Linker
In response to SutareMayur

‎03-19-2020 08:44 AM

Hi Mayur,

 

I configured the 192.168.99.100 address on the main interface of e1/3 because I read this in some article. In this article (I don't remember the source) it was configured like this. I'm using this address as the default gateway on my switch.

If I remove this 192.168.99.100 ip address, what should I use then as default gateway on the switch? I do need a default gateway on the switch, right? I mean, if I want to ping from the switch to an external address it needs to send it to it's default gateway.

 

Steven

 

0 Likes Likes

Go to solution
SutareMayur
Cyber Elite
Cyber Elite
In response to decostersteven

‎03-19-2020 08:58 AM

Yes, you can use interface 1/2 of PA for this. And use that IP as a default gateway on switch. 1/2 can be act as Inside interface on PA.

 

Mayur

Mayur
0 Likes Likes

Go to solution
decostersteven
L2 Linker
In response to SutareMayur

‎03-19-2020 09:03 AM

But why interface e1/2 of the palo alto? It is currently not in use. No cable is connected to this port. On the palo alto, I only have a cable connected to port e1/1 (to the router), e1/3 (to the switch) and the mgmt interface (to the switch).

0 Likes Likes

Go to solution
SutareMayur
Cyber Elite
Cyber Elite
In response to decostersteven

‎03-19-2020 09:38 AM

@decostersteven,

 

I'm not insisting to use 1/2 for LAN traffic. You have used 192.168.99.x on 1/3 which is overlapping with MGMT interface subnet. So Either change this subnet or use 1/2 as your LAN interface.

 

I think due to this overlapping, when you try to connect to MGMT interface, the traffic is going on interface 1/3 (can you check logs for this). Actually your MGMT traffic should to directly via MGMT connectivity.

 

Mayur

Mayur
0 Likes Likes

Go to solution
decostersteven
L2 Linker
In response to SutareMayur

‎03-19-2020 10:08 AM

I removed the overlapping ip address from interface e1/3. So, now only the mgmt interface on the palo alto is in the 192.168.99.x subnet.

The problem I'm facing now is that I cannot reach any address on the internet anymore form my switch. This is because it doesn't have a default gateway anymore. What do you propose to use as default gateway on the switch? I tried one of the subinterfaces (10.0.30.1), but that doesn't work either.

 

I'm really confused.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks