05-27-2022 07:45 AM
I cannot get traffic to go out my outside interface - it will only go out the Management interface
I have a PA-410 with several Inside interfaces / Outside (connected to an ASA) / Management (connected to my Inside network)
Note: I changed the Outside IP's first 3 octets from the real to 3.3.3. in this post to protect the future public IP for this firewall.
Setup looks like this
PC <-> switch <-> (ethernet1/2.32)PA-410(eithernet1/1) <-> (eithernet0/0)ASA (ethernet0/1)<-> Inside network <-> ISP
If I plug directly into the ASA's 0/0 interface & give my PC an IP in the 3.3.3.104/29 range - I can connect just fine to the internet
Management: 192.168.0.3/24
Inside: 172.31.32.1/24
Internet: 3.3.3.109/29
ASA: 3.3.3.110/29 - The ASA will PAT all traffic so it can cross the Inside network and get to the Internet.
VR - All interfaces added
Includes static route 0.0.0.0/0 -> 3.3.3.110 (See below)
When I connect with my PC to the Palo I get no internet
From the PC I can ping the gateway 172.31.32.1
From the PC I can NOT ping google 8.8.8.8
From the ASA I can ping the Palo outside 3.3.3.109 interface
From the ASA I can ping google (8.8.8.8)
From the Palo CLI I can NOT ping the ASA interface 3.3.3.110
From the Palo CLI I can ping itself 3.3.3.109
From the Palo CLI I can ping google (8.8.8.8) but the ping goes out the management interface not the Outside interface
VIRTUAL ROUTER: DCS-Campus (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 3.3.3.110 10 A S ethernet1/1
3.3.3.104/29 3.3.3.109 0 A C ethernet1/1
3.3.3.109/32 0.0.0.0 0 A H
172.31.8.0/24 172.31.8.1 0 A C ethernet1/2.8
172.31.8.1/32 0.0.0.0 0 A H
172.31.16.0/24 172.31.16.1 0 A C ethernet1/2.16
172.31.16.1/32 0.0.0.0 0 A H
172.31.24.0/24 172.31.24.1 0 A C ethernet1/2.24
172.31.24.1/32 0.0.0.0 0 A H
172.31.32.0/24 172.31.32.1 0 A C ethernet1/2.32
172.31.32.1/32 0.0.0.0 0 A H
172.31.128.0/24 172.31.128.1 0 A C ethernet1/2.128
172.31.128.1/32 0.0.0.0 0 A H
172.31.192.0/24 172.31.192.1 0 A C ethernet1/2.192
172.31.192.1/32 0.0.0.0 0 A H
172.31.248.0/24 172.31.248.1 0 A C ethernet1/2.248
172.31.248.1/32 0.0.0.0 0 A H
total routes shown: 17
05-27-2022 06:28 PM
Hi @sos66sos ,
Thank you for providing so many details. I have a couple questions:
Thanks,
Tom
05-28-2022 09:32 AM
I have backed out my configuration and started over - I now see traffic leaving the outside interface. I obviously had something configured incorrectly so I'm not sure what the solution was but I appreciate everyone's input.
05-27-2022 02:28 PM
Hi @sos66sos ,
Can you paste a screenshot of the traffic logs to include the advanced view when clicking on the microscope icon?
Regards,
Jay
05-27-2022 06:28 PM
Hi @sos66sos ,
Thank you for providing so many details. I have a couple questions:
Thanks,
Tom
05-28-2022 09:32 AM
I have backed out my configuration and started over - I now see traffic leaving the outside interface. I obviously had something configured incorrectly so I'm not sure what the solution was but I appreciate everyone's input.
05-28-2022 09:34 AM
This was the resolution to the ping issue - I did not source from the outside interface.
I still could not ping until I removed everything and started over. I must have had something configured incorrection - I should not build firewalls when I'm half asleep 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
