Static Routes not Working

cancel
Showing results for 
Search instead for 
Did you mean: 

Static Routes not Working

L1 Bithead

I have a network with in my network that I am trying to control access with user-id in the palo alto.  Before I can do this I need to get routing working.  The routing works just fine up to the palo alto in my test environment.  Each interface can talk to the next hop on the otherside but traffic isn't routing across the interfaces.  I can not ping source 192.168.111.10 to 192.168.2.1  but I can ping source 192.168.111.10 to 192.168.111.1. This is the same for all interfaces.

 

Here is a copy of my routing table

VIRTUAL ROUTER: TEST (id 15)
==========
destination nexthop
metric flags age interface next-AS
192.168.0.0/16 192.168.2.1
15 A S ethernet1/3.9514
192.168.3.0/24 192.168.3.251
0 A C ethernet1/3.9514
192.168.3.251/32 0.0.0.0
0 A H
192.168.111.0/24 192.168.111.1
10 S ethernet1/4.9509
192.168.111.0/24 192.168.111.10
0 A C ethernet1/4.9509
192.168.111.10/32 0.0.0.0
0 A H
192.168.112.0/24 192.168.112.1
10 S ethernet1/4.9510
192.168.112.0/24 192.168.112.10
0 A C ethernet1/4.9510
192.168.112.10/32 0.0.0.0
0 A H
total routes shown: 9

 

Here is how the layer 3 interface is setup

--------------------------------------------------------------------------------
Name: ethernet1/3.9514, ID: 265
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.3.251/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Interface belong to same subnet as management interface: Yes
Zone: TEST_Untrust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Name: ethernet1/4.9509, ID: 266
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.111.10/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Zone: TEST_Trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Name: ethernet1/4.9510, ID: 267
Operation mode: layer3
Virtual router TEST
Interface MTU 1500
Interface IP address: 192.168.112.10/24
Interface management profile: Default
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: yes
Service configured:
Zone: TEST_Trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

 Here are the security policy associated with virtual routes and interfaces

 

"Inbound TEST untrust to trust" {
from TEST_Untrust;
source any;
source-region none;
to TEST_Trust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

"Outbound TEST trust to untrust" {
from TEST_Trust;
source any;
source-region none;
to TEST_Untrust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

Any help or advice would be greatly apreciated.  I have concidered using a virtual wire but now I really just want to figure this out after spending a day on it with no success.

-Michael

4 REPLIES 4

L4 Transporter

I believe following static route is mis-configuration:

192.168.0.0/16 192.168.2.1 15 A S ethernet1/3.9514

 

ethernet1/3.9514 has 192.168.3.251/24.

Then nexthop should be in range of 192.168.3.0/24, you can't reach to 192.168.2.1.

Yeah, routes can only point to connected networks.

I originaly had the next hop set as 192.168.3.1 but that didn't work.  I will go and change it back.

 

I can ping with a source of 192.168.3.251 to host 192.168.3.1 and it works. But I can not ping 192.168.3.1 from 192.168.111.10.  Is this just not a function of the palo alto to be able to ping from a source to a non connected host?

Well wherever you point your route to it should be a router (in connected network) and it should have a route for 192.168.111.0/24 as well pointing back at your device (through connected network).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!