Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Palo 1410 - Inability to ping my through ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo 1410 - Inability to ping my through ISP

L0 Member

New to Palo Alto. Have installed a new PA 1410. This is directly attached to the Ciena 3924 device provided by the ISP. Connecting a laptop to that device allows full internet access. The external interface to access the internet on the Palo Alto is ethernet 1/6. This interface is directly connected to the Ciena 3924. It is part of an outside zone and configured to use a virtual router whose default address is set to 0.0.0.0/0 with the GW address provided by the ISP as the next hop. The internal interface is on ethernet 1/3 and it is part of the internal zone and is also configured to use the same virtual router as the external interface 1/6. There is a security policy that allows the internal zone to send data out to the external zone. I have also put in place a NAT policy that transfers all internal interface 1/3 IPs to external interface 1/6 external IP with port translation. 

The firewall can ping the IP and the GW but can't ping beyond that. The last item is that we have also created a management interface on the data plane, but this also is unable to access the internet. Thanks in advance for the support and assistance and I apologize for the newbie question.

 

Sincerely

JLG

3 REPLIES 3

Cyber Elite
Cyber Elite

@jlopez01,

It sounds like, as long as you've configured everything correctly, that this should work. You've got the route, you have a security policy to actually allow the traffic, and you have the NAT policy. How are you actually attempting to test connectivity, directly with the firewall with the interface IPs as a source or through a client connected to the firewall on ethernet1/3 on that internal zone? 

L0 Member

Thank you so very much for the response. My testing has consisted of both actually, attempting to access the internet from a client directly on interface 1/3 and pinging using the interface source and host to Google's DNS. No luck on either one. 

Cyber Elite
Cyber Elite

@jlopez01,

When you attempt to test with a client connected to ethernet1/3, what do your logs say is actually happening? You'll be able to validate your egress interface, your security policy, and whether or not your NAT is being applied properly through the detailed traffic logs. If that all looks good, you'd want to take a PCAP and verify whether your Ciena is actually passing traffic back to your firewall or not. 

  • 1040 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!