06-07-2018 12:28 PM
Hello Experts,
I am stuck with a Palo Alto test setup. I have a 6.1.0 VM version running on VMW. I have simulated the inside interface by a 10.10.0/24 subnet—- the two hosts are a **bleep** Small Linux with IP 10.10.10.190 (/24) which is connecting to the PA VM Ethernet1/1 L3 interface with IP 10.10.10.200 (/24).
VMnet2 is used for managment interface and has the IP 192.168.1.1/24 and I am using this to connect to the PA VM GUI
The outside interface is simulated by a VMNet (8)adapter which is in a shared mode with Physical Ethernet NIC. The subnet of VMNet8 is 192.168.137.0/24. The Palo alto interface connecting to VMnet 8 is Ethernet1/2 and has an IP 192.168.137.200(/24). The VmNet8 adapter has the IP 192.168.137.1(/24).
I have configured a default route on the PA VM with proper interfaces and virtual router and the default routes next hop is 192.168.137.1. When I am trying to ping 8.8.8.8 it shows me an unreachable response from the management interface (192.168.1.1)
Please help
Following are some outputs from the device :
admin@PA-VM> show routing route virtual-router "VR1 TEST"
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2
VIRTUAL ROUTER: VR1 TEST (id 2)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.137.1 10 A S ethernet1/2
10.10.10.0/24 10.10.10.10 0 A C ethernet1/1
10.10.10.10/32 0.0.0.0 0 A H
192.168.137.0/24 192.168.137.200 0 A C ethernet1/2
192.168.137.200/32 0.0.0.0 0 A H
total routes shown: 5
admin@PA-VM>
admin@PA-VM> show arp all
maximum of entries supported : 500
default timeout: 1800 seconds
total ARP entries in table : 1
total ARP entries shown : 1
status: s - static, c - complete, e - expiring, i - incomplete
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/2 192.168.137.1 00:50:56:c0:00:08 ethernet1/2 c 985
admin@PA-VM>
admin@PA-VM> ping host 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
From 192.168.1.1 icmp_seq=5 Destination Host Unreachable
From 192.168.1.1 icmp_seq=6 Destination Host Unreachable
From 192.168.1.1 icmp_seq=7 Destination Host Unreachable
^C
--- 4.2.2.2 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6008ms
, pipe 3
admin@PA-VM>
06-07-2018 01:57 PM - edited 06-07-2018 01:58 PM
1) I wouldn't start working with a 6.1.0 install at this point. You really should be using a modern version of the OS and perform an update to the latest maintenance release if you are deadset on staying with 6.1.
By default if you just run the 'ping host 8.8.8.8' command you would be sent out the management interface, so try running the command with 'ping source whatevertheoutsideIPis host 8.8.8.8' and see if you get a response. Also keep in mind that you need a security policy that allows this traffic to take place.
With a quick glance I'm not seeing anything where you are actively giving the management interface a way outside the network.
06-07-2018 02:17 PM
Thank you for the response. I am pretty new to this [only 3days and still failing to setup the lab] , getting used to a lot of things. I have switched to 8.0. Same setup. The egress interface or the Internet facing interface is sharing internet connection with my Physical intel NIC of the PC. I have tested this "sharing " by using a D Small Linux and it can reach the internet just fine.
Through Palo Alto however , its not working. I have broken it down into the following parts. Really appreciate the help
admin@PA-VM# show rulebase security rules
rules {
PINGS {
to OUTSIDE;
from OUTSIDE;
source any;
destination any;
source-user any;
category any;
application icmp;
service application-default;
hip-profiles any;
action allow;
}
}
[edit]
admin@PA-VM#
admin@PA-VM# show zone
zone {
OUTSIDE {
network {
layer3 ethernet1/1;
}
}
}
[edit]
admin@PA-VM#
admin@PA-VM> show routing route virtual-router "TO INTERNET"
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: TO INTERNET (id 2)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.137.1 10 A S ethernet1/1
192.168.137.0/24 192.168.137.140 0 A C ethernet1/1
192.168.137.140/32 0.0.0.0 0 A H
total routes shown: 3
admin@PA-VM>
admin@PA-VM> show interface all
total configured hardware interfaces: 1
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 10000/full/up 00:0c:29:d0:3b:d4
aggregation groups: 0
total configured logical interfaces: 1
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 16 1 OUTSIDE vr:TO INTERNET 0 192.168.137.140/24
admin@PA-VM>
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/1 192.168.137.1 00:50:56:c0:00:08 ethernet1/1 c 1495
admin@PA-VM>
admin@PA-VM> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
413 ping ACTIVE FLOW 192.168.137.140[9769]/OUTSIDE/1 (192.168.137.140[9769])
vsys1 4.2.2.2[5]/OUTSIDE (4.2.2.2[5])
414 ping ACTIVE FLOW 192.168.137.140[9769]/OUTSIDE/1 (192.168.137.140[9769])
vsys1 4.2.2.2[6]/OUTSIDE (4.2.2.2[6])
409 ping ACTIVE FLOW 192.168.137.140[9769]/OUTSIDE/1 (192.168.137.140[9769])
vsys1 4.2.2.2[1]/OUTSIDE (4.2.2.2[1])
412 ping ACTIVE FLOW 192.168.137.140[9769]/OUTSIDE/1 (192.168.137.140[9769])
vsys1 4.2.2.2[4]/OUTSIDE (4.2.2.2[4])
407 netbios-ns ACTIVE FLOW 192.168.137.1[137]/OUTSIDE/17 (192.168.137.1[137])
vsys1 192.168.137.255[137]/OUTSIDE (192.168.137.255[137])
411 ping ACTIVE FLOW 192.168.137.140[9769]/OUTSIDE/1 (192.168.137.140[9769])
vsys1 4.2.2.2[3]/OUTSIDE (4.2.2.2[3])
410 ping ACTIVE FLOW 192.168.137.140[9769]/OUTSIDE/1 (192.168.137.140[9769])
vsys1 4.2.2.2[2]/OUTSIDE (4.2.2.2[2])
admin@PA-VM>
admin@PA-VM> ping source 192.168.137.140 host 4.2.2.2
PING 4.2.2.2 (4.2.2.2) from 192.168.137.140 : 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 26006ms
admin@PA-VM>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
