PA VM 6.1.0 Routing issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA VM 6.1.0 Routing issues

L1 Bithead

Hello Experts,

I am stuck with a Palo Alto test setup. I have a 6.1.0 VM version running on VMW. I have simulated the inside interface by a 10.10.0/24 subnet—- the two hosts are a **bleep** Small Linux with IP 10.10.10.190 (/24) which is connecting to the PA VM Ethernet1/1 L3 interface with IP 10.10.10.200 (/24).

 

VMnet2 is used for managment interface and has the IP 192.168.1.1/24 and I am using this to connect to the PA VM GUI

The outside interface is simulated by a VMNet (8)adapter which is in a shared mode with Physical Ethernet NIC. The subnet of VMNet8 is 192.168.137.0/24. The Palo alto interface connecting to VMnet 8 is Ethernet1/2 and has an IP 192.168.137.200(/24). The VmNet8 adapter has the IP 192.168.137.1(/24).

 

I have configured a default route on the PA VM with proper interfaces and virtual router and the default routes next hop is 192.168.137.1. When I am trying to ping 8.8.8.8 it shows me an unreachable response from the management interface (192.168.1.1)

Please help

 

Following are some outputs from the device :

 

admin@PA-VM> show routing route virtual-router "VR1 TEST"

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2


VIRTUAL ROUTER: VR1 TEST (id 2)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
0.0.0.0/0                                   192.168.137.1                           10     A S              ethernet1/2
10.10.10.0/24                               10.10.10.10                             0      A C              ethernet1/1
10.10.10.10/32                              0.0.0.0                                 0      A H
192.168.137.0/24                            192.168.137.200                         0      A C              ethernet1/2
192.168.137.200/32                          0.0.0.0                                 0      A H
total routes shown: 5

admin@PA-VM>

 

 

admin@PA-VM> show arp all

maximum of entries supported :      500
default timeout:                    1800 seconds
total ARP entries in table :        1
total ARP entries shown :           1
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/2       192.168.137.1   00:50:56:c0:00:08 ethernet1/2         c      985

admin@PA-VM>

 

 

admin@PA-VM> ping host 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
From 192.168.1.1 icmp_seq=5 Destination Host Unreachable
From 192.168.1.1 icmp_seq=6 Destination Host Unreachable
From 192.168.1.1 icmp_seq=7 Destination Host Unreachable
^C
--- 4.2.2.2 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6008ms
, pipe 3
admin@PA-VM>

2 REPLIES 2

Cyber Elite
Cyber Elite

@Sankhya1012,

1) I wouldn't start working with a 6.1.0 install at this point. You really should be using a modern version of the OS and perform an update to the latest maintenance release if you are deadset on staying with 6.1. 

 

By default if you just run the 'ping host 8.8.8.8' command you would be sent out the management interface, so try running the command with 'ping source whatevertheoutsideIPis host 8.8.8.8' and see if you get a response. Also keep in mind that you need a security policy that allows this traffic to take place.  

With a quick glance I'm not seeing anything where you are actively giving the management interface a way outside the network. 

@BPry

 

Thank you for the response. I am pretty new to this [only 3days and still failing to setup the lab] , getting used to a lot of things. I have switched to 8.0. Same setup. The egress interface or the Internet facing interface is sharing internet connection with my Physical intel NIC of the PC. I have tested this "sharing " by using a D Small Linux and it can reach the internet just fine.

 

Through Palo Alto however , its not working. I have broken it down into the following parts. Really appreciate the help

 

admin@PA-VM# show rulebase security rules
rules {
  PINGS {
    to OUTSIDE;
    from OUTSIDE;
    source any;
    destination any;
    source-user any;
    category any;
    application icmp;
    service application-default;
    hip-profiles any;
    action allow;
  }
}
[edit]
admin@PA-VM#

 

admin@PA-VM# show zone
zone {
  OUTSIDE {
    network {
      layer3 ethernet1/1;
    }
  }
}
[edit]
admin@PA-VM#

 

admin@PA-VM> show routing route virtual-router "TO INTERNET"

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: TO INTERNET (id 2)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
0.0.0.0/0                                   192.168.137.1                           10     A S              ethernet1/1
192.168.137.0/24                            192.168.137.140                         0      A C              ethernet1/1
192.168.137.140/32                          0.0.0.0                                 0      A H
total routes shown: 3

admin@PA-VM>

 

admin@PA-VM> show interface all

total configured hardware interfaces: 1

name                    id    speed/duplex/state        mac address
--------------------------------------------------------------------------------
ethernet1/1             16    10000/full/up             00:0c:29:d0:3b:d4

aggregation groups: 0

 




total configured logical interfaces: 1

name                id    vsys zone             forwarding               tag    address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1    OUTSIDE          vr:TO INTERNET           0      192.168.137.140/24

admin@PA-VM>

 

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/1       192.168.137.1   00:50:56:c0:00:08 ethernet1/1         c      1495

admin@PA-VM>

 

admin@PA-VM> show session all

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
413          ping           ACTIVE  FLOW       192.168.137.140[9769]/OUTSIDE/1  (192.168.137.140[9769])
vsys1                                          4.2.2.2[5]/OUTSIDE  (4.2.2.2[5])
414          ping           ACTIVE  FLOW       192.168.137.140[9769]/OUTSIDE/1  (192.168.137.140[9769])
vsys1                                          4.2.2.2[6]/OUTSIDE  (4.2.2.2[6])
409          ping           ACTIVE  FLOW       192.168.137.140[9769]/OUTSIDE/1  (192.168.137.140[9769])
vsys1                                          4.2.2.2[1]/OUTSIDE  (4.2.2.2[1])
412          ping           ACTIVE  FLOW       192.168.137.140[9769]/OUTSIDE/1  (192.168.137.140[9769])
vsys1                                          4.2.2.2[4]/OUTSIDE  (4.2.2.2[4])
407          netbios-ns     ACTIVE  FLOW       192.168.137.1[137]/OUTSIDE/17  (192.168.137.1[137])
vsys1                                          192.168.137.255[137]/OUTSIDE  (192.168.137.255[137])
411          ping           ACTIVE  FLOW       192.168.137.140[9769]/OUTSIDE/1  (192.168.137.140[9769])
vsys1                                          4.2.2.2[3]/OUTSIDE  (4.2.2.2[3])
410          ping           ACTIVE  FLOW       192.168.137.140[9769]/OUTSIDE/1  (192.168.137.140[9769])
vsys1                                          4.2.2.2[2]/OUTSIDE  (4.2.2.2[2])
admin@PA-VM>

 

 

admin@PA-VM> ping source 192.168.137.140 host 4.2.2.2
PING 4.2.2.2 (4.2.2.2) from 192.168.137.140 : 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 26006ms

admin@PA-VM>

  • 5423 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!