palo alto networks configuration

cancel
Showing results for 
Search instead for 
Did you mean: 

palo alto networks configuration

L2 Linker

hello,

 

I configured a PA-500 with routing mode in our company . I set the zone , the security rules , the nat rules . I allow all traffic from trust zone to untrust zone. But the problem there is no internet connection. We use a DNS server , that is in trust zone.

I add a security role from untrust zone to a trust zone (with addressof DNS server) but the problem always we don't hav the internet connection in the office  . I process all the steps of the administraion guide of PAN in my configuration but always i have the same issue!

 

Any one can help me pleaseto resolve this problem 

1 REPLY 1

Cyber Elite
Cyber Elite

Hi

 

Here's a couple of things you can check to make sure everything is set up properly

 

from the CLI, check if you can see all relevant mac addresses:

> show arp all

 

verify if your routing is configured properly (you'll need a default gateway)

>show routing route

 

make sure all interfaces have been configured with the proper IP/subnet

>show interface all

 

make sure all hosts can be reached on the connected interface:

>ping source <trust_interface_IP> host <internal_client_IP>

>ping source <untrust_interface_IP> host <internet_router_IP>

 

see if you can reach the internet from the untrust interface:

>ping source <untrust_interface_IP> host 4.2.2.2

 

and lastly from the trust interface:

>ping source <trust_interface_IP> host 4.2.2.2

 

you can start a session from a host in the trust zone and then check the sessions being created

> show session all

 

it should look something like this:

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
24795        ping           ACTIVE  FLOW  NS   192.168.0.21[512]/trust/1  (198.51.100.230[512])
vsys1                                          4.2.2.2[33024]/untrust  (4.2.2.2[33024])
24796        ping           ACTIVE  FLOW  NS   192.168.0.21[512]/trust/1  (198.51.100.230[512])
vsys1                                          4.2.2.2[33280]/untrust  (4.2.2.2[33280])

then verify a session's parameters

>show session id <id#>

 

Session           24795

        c2s flow:
                source:      192.168.0.21 [trust]
                dst:         4.2.2.2
                proto:       1
                sport:       512             dport:      33024
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      4.2.2.2 [untrust]
                dst:         198.51.100.230
                proto:       1
                sport:       33024           dport:      512
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Mon Oct  5 09:38:48 2015
        timeout                              : 6 sec

Please note the difference between the c2s and s2c flows

You'll see that c2s has source ip 192.168.0.21, which is my internal IP, where the s2c flow has destination 198.51.100.230, which is my NAT address, this will show you if NAT is being applied properly

 

hope this helps you get started, please let us know if this helps

 

Tom

Tom Piens
PANgurus
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!