- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-18-2020 10:25 AM
Hi,
I'm fairly new to Palo Alto firewalls and just set up a home lab, but I have a problem accessing the management interface from my local network.
I have 4 network devices in my network:
- Modem/Router
- Palo Alto PA-500 (PAN-OS 7.1)
- Cisco 2960 switch
- Cisco 1602 AP
I'll try to explain how everything is connected, but I also added a picture of the topology which probably makes more sense then my explanation.
Router --> Palo Alto --> Switch --> AP
Router --> Palo Alto: 192.168.0.0/24 subnet. Router is .1 and Palo Alto is .2
Palo Alto --> switch: One physical interface on the Palo Alto that has one subinterface (10.0.30.1/24) which is configured as a DHCP server for wireless clients in VLAN 30). The switch side of this connection is configured as a trunk with all VLANS allowed.
The Palo Alto also has a (physical, dedicatec) management interface which has the 192.168.99.1/24 address.
I also connected a cable from the Palo Alto's dedicated management interface to the switch. The switch port is an access port in VLAN99 (management).
Switch --> AP: The switchport is configured as a trunk with all VLANS allowed. The switch has an SVI named VLAN99 with IP address 192.168.99.2
The AP has 3 VLANS: 1 (unused), 30 (for wireless clients), 99 (Management VLAN and also native VLAN).
The BVI interface on the AP is configured with IP address 192.168.99.3
As you probably already guessed, I'd like to use VLAN99 (subnet 192.168.99.0/24) as my management VLAN throughout my network.
Most of the things in my network are working fine. I can connect to the SSID associated with VLAN30, receive an IP address via DHCP and connect to the internet using my "wireless to outside" policy.
However, I'm struggling with setting up the dedicated management interface correctly.
Here's what I want to do: when I connect with my laptop to the SSID associated with VLAN30, I also want to be able to reach the management interface of the Palo Alto. So, packets need to be routed from the subinterface of VLAN30 to the management interface.
This is not what's happening now. In the logs I see that packets from 10.0.30.5 (laptop) to 192.168.99.1 (mgmt interface of palo alto) are hitting the policy "wireless to outside". The mgmt interface address is seen as an outside address.
Can anyone tell me how I can fix this. Maybe I configured my network all wrong, but can someone the please tell me what the best setup would be?
Thanks in advance for your ideas/help.
Steven
03-19-2020 10:13 AM
@decosterstevenWe can have zoom session if you are ok with it. I can check it.
If you put default gateway as 10.0.30.1 on switch, now traffic will go from Wireless zone as source, Do you have policy/NAT for it?
Mayur
03-19-2020 10:29 AM
Yes, I have the correct policies in place for this. You can see this in one of my earlier posts with all the screenshots.
The problem is that cannot even ping 10.0.30.1 from my switch. Then surely, it is not going to work as default gateway. Ping, https and SSH are allowed on this interface.
03-19-2020 10:48 AM
@decosterstevenCan you verify what's configuration present on Switch interface Fa0/16? I am suspecting issue with it now.
Mayur
03-19-2020 11:32 AM
Port fa0/16 of the switch is configured as an access port in vlan 99.
Here's the running config of my switch (I removed unused ports from the config):
Current configuration : 4705 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SW01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Z7Iy$du8yrPi/BI55kbzRNB2uj.
!
username testuser privilege 15 secret 5 $1$CSZu$rw8RYncad58MTu4KXKZE71
!
!
no aaa new-model
clock timezone GMT 1
system mtu routing 1500
!
!
ip domain-name HOME
ip name-server 8.8.8.8
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0/1
description *** Palo Alto e1/3 ***
switchport trunk native vlan 99
switchport mode trunk
!
interface FastEthernet0/2
description *** AP01 ***
switchport trunk native vlan 99
switchport mode trunk
no keepalive
spanning-tree portfast
spanning-tree bpdufilter enable
!
interface FastEthernet0/3
description *** Desktop PC ***
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/15
!
interface FastEthernet0/16
description *** Palo Alto MGMT ***
switchport access vlan 99
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan99
ip address 192.168.99.2 255.255.255.0
!
ip http server
ip http secure-server
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0
privilege level 15
logging synchronous
login local
transport input ssh
line vty 1 4
privilege level 15
login local
transport input ssh
line vty 5 15
login
!
ntp clock-period 36029062
ntp server 131.188.3.220
end
03-19-2020 11:52 AM
@decosterstevenThere you go. It will never work if you keep that port in vlan99 as subnet 10.0.30.x is not part of vlan99. You need to keep it as trunk as you have multiple sub-interfaces configured on 1/3.
Mayur
03-19-2020 12:10 PM
But the switch port (fa0/1) connected to the e1/3 interface with the subinterfaces is a trunk. µ
The mgmt port of the palo alto is connected to the access port in vlan 99 on the switch that I mentionned in my previous post.
Anyway, I'll wil change the fa0/16 port on the switch to a trunk and see what happens.
I'll keep you posted. Thanks.
03-20-2020 08:58 AM
Hi Mayur,
After spending some hours trying out different configurations setups, I decided to factory reset the firewall and start all over again.
I configured everything like you exlained in previous posts and I finally got it to work.
Thanks again for you help!
Have a nice weekend.
03-20-2020 09:25 AM
Glad to hear that.
Thanks. You have a nice weekend, too!
Mayur
11-15-2020 09:52 PM
Hi,
I have the same problem with my PA. As I understood, I can not use the Data-Plane interface IP as the default GW for the MGMT interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!