10-04-2015 04:46 PM
hello,
I configured a PA-500 with routing mode in our company . I set the zone , the security rules , the nat rules . I allow all traffic from trust zone to untrust zone. But the problem there is no internet connection. We use a DNS server , that is in trust zone.
I add a security role from untrust zone to a trust zone (with addressof DNS server) but the problem always we don't hav the internet connection in the office . I process all the steps of the administraion guide of PAN in my configuration but always i have the same issue!
Any one can help me pleaseto resolve this problem
10-05-2015 12:42 AM - edited 10-05-2015 12:43 AM
Hi
Here's a couple of things you can check to make sure everything is set up properly
from the CLI, check if you can see all relevant mac addresses:
> show arp all
verify if your routing is configured properly (you'll need a default gateway)
>show routing route
make sure all interfaces have been configured with the proper IP/subnet
>show interface all
make sure all hosts can be reached on the connected interface:
>ping source <trust_interface_IP> host <internal_client_IP>
>ping source <untrust_interface_IP> host <internet_router_IP>
see if you can reach the internet from the untrust interface:
>ping source <untrust_interface_IP> host 4.2.2.2
and lastly from the trust interface:
>ping source <trust_interface_IP> host 4.2.2.2
you can start a session from a host in the trust zone and then check the sessions being created
> show session all
it should look something like this:
-------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 24795 ping ACTIVE FLOW NS 192.168.0.21[512]/trust/1 (198.51.100.230[512]) vsys1 4.2.2.2[33024]/untrust (4.2.2.2[33024]) 24796 ping ACTIVE FLOW NS 192.168.0.21[512]/trust/1 (198.51.100.230[512]) vsys1 4.2.2.2[33280]/untrust (4.2.2.2[33280])
then verify a session's parameters
>show session id <id#>
Session 24795
c2s flow:
source: 192.168.0.21 [trust]
dst: 4.2.2.2
proto: 1
sport: 512 dport: 33024
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 4.2.2.2 [untrust]
dst: 198.51.100.230
proto: 1
sport: 33024 dport: 512
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Mon Oct 5 09:38:48 2015
timeout : 6 sec
Please note the difference between the c2s and s2c flows
You'll see that c2s has source ip 192.168.0.21, which is my internal IP, where the s2c flow has destination 198.51.100.230, which is my NAT address, this will show you if NAT is being applied properly
hope this helps you get started, please let us know if this helps
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
