Routing issues on PA410

cancel
Showing results for 
Search instead for 
Did you mean: 

Routing issues on PA410

L1 Bithead


I cannot get traffic to go out my outside interface - it will only go out the Management interface

I have a PA-410 with several Inside interfaces / Outside (connected to an ASA) / Management (connected to my Inside network)
Note: I changed the Outside IP's first 3 octets from the real to 3.3.3. in this post to protect the future public IP for this firewall.

Setup looks like this
PC <-> switch <-> (ethernet1/2.32)PA-410(eithernet1/1) <-> (eithernet0/0)ASA (ethernet0/1)<-> Inside network <-> ISP

If I plug directly into the ASA's 0/0 interface & give my PC an IP in the 3.3.3.104/29 range -  I can connect just fine to the internet
 

Management: 192.168.0.3/24
Inside: 172.31.32.1/24 
Internet: 3.3.3.109/29  
ASA: 3.3.3.110/29 - The ASA will PAT all traffic so it can cross the Inside network and get to the Internet.
VR - All interfaces added
Includes static route 0.0.0.0/0 -> 3.3.3.110 (See below)


When I connect with my PC to the Palo I get no internet
From the PC I can ping the gateway 172.31.32.1 
From the PC I can NOT ping google 8.8.8.8
From the ASA I can ping the Palo outside 3.3.3.109 interface
From the ASA I can ping google (8.8.8.8)
From the Palo CLI I can NOT ping the ASA interface 3.3.3.110
From the Palo CLI I can ping itself 3.3.3.109
From the Palo CLI I can ping google (8.8.8.8) but the ping goes out the management interface not the Outside interface

VIRTUAL ROUTER: DCS-Campus (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 3.3.3.110 10 A S ethernet1/1
3.3.3.104/29 3.3.3.109 0 A C ethernet1/1
3.3.3.109/32 0.0.0.0 0 A H
172.31.8.0/24 172.31.8.1 0 A C ethernet1/2.8
172.31.8.1/32 0.0.0.0 0 A H
172.31.16.0/24 172.31.16.1 0 A C ethernet1/2.16
172.31.16.1/32 0.0.0.0 0 A H
172.31.24.0/24 172.31.24.1 0 A C ethernet1/2.24
172.31.24.1/32 0.0.0.0 0 A H
172.31.32.0/24 172.31.32.1 0 A C ethernet1/2.32
172.31.32.1/32 0.0.0.0 0 A H
172.31.128.0/24 172.31.128.1 0 A C ethernet1/2.128
172.31.128.1/32 0.0.0.0 0 A H
172.31.192.0/24 172.31.192.1 0 A C ethernet1/2.192
172.31.192.1/32 0.0.0.0 0 A H
172.31.248.0/24 172.31.248.1 0 A C ethernet1/2.248
172.31.248.1/32 0.0.0.0 0 A H
total routes shown: 17




2 ACCEPTED SOLUTIONS

Accepted Solutions

L5 Sessionator

Hi @sos66sos ,

 

Thank you for providing so many details.  I have a couple questions:

 

  1. "From the Palo CLI I can ping google (8.8.8.8) but the ping goes out the management interface not the Outside interface"  Did you use the "source" parameter?  By default, CLI pings are sourced from the management interface.  You need to specify the outside interface IP as a source if you want it to go out that interface.
  2. "From the PC I can NOT ping google 8.8.8.8"  Does the ASA have a route back to the Palo for the 172.31.32.0/24 network?  It sounds like it does not.  It also sounds like it does have a route for the 192.168.0.0/24 network.
  3. "From the Palo CLI I can NOT ping the ASA interface 3.3.3.110"  Are pings to the inside interface enabled on the ASA?

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

L1 Bithead

I have backed out my configuration and started over - I now see traffic leaving the outside interface.  I obviously had something configured incorrectly so I'm not sure what the solution was but I appreciate everyone's input. 

View solution in original post

4 REPLIES 4

Community Team Member

Hi @sos66sos ,

 

Can you paste a screenshot of the traffic logs to include the advanced view when clicking on the microscope icon?

 

 

Regards,

 

Jay

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

L5 Sessionator

Hi @sos66sos ,

 

Thank you for providing so many details.  I have a couple questions:

 

  1. "From the Palo CLI I can ping google (8.8.8.8) but the ping goes out the management interface not the Outside interface"  Did you use the "source" parameter?  By default, CLI pings are sourced from the management interface.  You need to specify the outside interface IP as a source if you want it to go out that interface.
  2. "From the PC I can NOT ping google 8.8.8.8"  Does the ASA have a route back to the Palo for the 172.31.32.0/24 network?  It sounds like it does not.  It also sounds like it does have a route for the 192.168.0.0/24 network.
  3. "From the Palo CLI I can NOT ping the ASA interface 3.3.3.110"  Are pings to the inside interface enabled on the ASA?

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

I have backed out my configuration and started over - I now see traffic leaving the outside interface.  I obviously had something configured incorrectly so I'm not sure what the solution was but I appreciate everyone's input. 

This was the resolution to the ping issue - I did not source from the outside interface.
I still could not ping until I removed everything and started over.  I must have had something configured incorrection - I should not build firewalls when I'm half asleep 🙂 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!