03-06-2017 05:53 PM
Hi,
I have Frontier FIOS and am currently using an ASA for my Internet router but want to use a PA-200 with a Cisco 891F behind it. The design looks like this:
ISP(DHCP)----(e1/1)-PA-200-(e1/2)---891F (5 subnets)
I set e1/1 untrust w/DHCP from the ISP and e1/2 trust w/static /30 to 891F. I also checked auto create default route to inject route from the ISP and setup Outbound NAT to any/any with no other security policies in place. I allowed ping on both interfaces for troubleshooting.
I prefer not to use the PA-200 for DHCP, therefore, on the 891, I have multiple VLANs with DHCP processes doling out IP addresses/SM/GW/DNS. That works fine and all routing seems to be working, as well. Added a default route to exit the 891s interface connected to the PA-200.
The PA-200 did acquire a DHCP address from the ISP. The trouble I'm having is that I cannot access the Internet from any deivce nor ping the untrusted interface ip. I am not using the ISPs router at all. I guess I am not sure if this is the best design to get this going so, if not, can someone point me in the right direction? I hope this makes sense.
Thanks,
Dan
03-07-2017 12:27 AM
Hi @DRobinson_TIC and welcome !
-There's a video that might help you: Tutorial: Firewall as a PPPoE or DHCP client 🙂
-if you say NAT set to 'any any' are you using any zone to any zone? (or IP addresses)
I would strongly recommend setting trust to untrust with source nat bound to your external interface
-did you add routes to the Virtual router to account for the subnets behind the cisco ?
-the external interface will not be pingable until you add a management profile. for an external interface this is preferable
03-07-2017 05:48 AM
Just reading over what you are describing I would venture to guess that you need to to two things that reaper suggusted already to make this work.
1) Have you taken into account the routing table on the Virtual Router? If the Palo Alto doesn't know about the subnet you're going to need to tell it where to send the traffic. For example, since I have everything routing to a pair of cores I would need to put the subnets that I'm using, set the interface, and then I give it a next hop value of the core. I imagine that you have to setup something similar.
2) The Management profile needs to be created, not a major deal and there are plenty of articles on how to do it, but by default you would never be able to ping an interface right out of the box.
03-07-2017 12:10 AM - edited 03-07-2017 12:56 AM
Hello @DRobinson_TIC and welcome!
Many things could be really :0 What do you see in the monitoring tab on the PA-200 when the client is attempting to access the internet? How do you have your security policy configured? Post the screenshot pls. Who provides the DNS for the clients, is it working (l guest it is ISP so security policy on PA should allow this).
03-07-2017 12:27 AM
Hi @DRobinson_TIC and welcome !
-There's a video that might help you: Tutorial: Firewall as a PPPoE or DHCP client 🙂
-if you say NAT set to 'any any' are you using any zone to any zone? (or IP addresses)
I would strongly recommend setting trust to untrust with source nat bound to your external interface
-did you add routes to the Virtual router to account for the subnets behind the cisco ?
-the external interface will not be pingable until you add a management profile. for an external interface this is preferable
03-07-2017 05:48 AM
Just reading over what you are describing I would venture to guess that you need to to two things that reaper suggusted already to make this work.
1) Have you taken into account the routing table on the Virtual Router? If the Palo Alto doesn't know about the subnet you're going to need to tell it where to send the traffic. For example, since I have everything routing to a pair of cores I would need to put the subnets that I'm using, set the interface, and then I give it a next hop value of the core. I imagine that you have to setup something similar.
2) The Management profile needs to be created, not a major deal and there are plenty of articles on how to do it, but by default you would never be able to ping an interface right out of the box.
03-07-2017 01:39 PM
Thank you all for you input. I will look over your responses later today and provide more info as well.
03-10-2017 05:23 PM
Hi All,
Sorry for the delay on responding but I can really properly test until tomorrow morning as my daughter needs the Internet available for online school. I will keep you posted and follow up tomorrow.
Thanks for your patience,
Dan
03-11-2017 11:26 AM
So, I finally had some time to check into this and it may have been the routing table issue on the PA-200. So to simplify things, I enabled RIP (LOL, I know) but for the time being it is now working and all my wired/wireless clients are able to get out to the Internet. So now, I just have to migrate my policies from the ASA to the PA-200.
Thanks again for all of your input.
Dan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
