09-04-2017 10:47 PM
Hi,
I am reconfiguring my PA-100 VM, as i am changing the network design, but after i changed the interfaces IP, Router configuraattion, NAT policy, and security policy. I cannot get to internet and in monitroing end reason is "aged-out"
From CLI i can ping and traceroute using the management and external interface as source, but i cannot use my internal interface to ping or traceroute.
Even i cannot ping the external interface using hte internal interface (after enabling management policy for the external interface)
I cannot even ping between the Mgmt Interface and the internal Interface and they are in the same network (default intrazone traffice rule active as well)
I would appreciate any direction in troubleshooting the issue.
09-05-2017 12:52 AM - edited 09-05-2017 12:52 AM
Ok, thanks. You need to configure your Palo to NAT all internal traffic to its External IP (172.16.0.1). In case you don't want to do that, then please add a static route on your router/modem pointing to the Palo external ip address (172.16.0.1) on how to reach 10.1.1.0/24 subnet.
09-05-2017 12:31 AM
For TCP traffic "aged-out" could indicate not completed 3-way handshake. Few things to confirm:
1) Can Palo access the internet over the External interface?
2) Make sure routing is correct
3) Remember, traffic generated by the firewall will not be a subject for policy inspection (unless you source the packet from the interface which is assigned to the security zone).
4) Post the detailed log view of any aged-out session (magnifying glass view)
09-05-2017 12:39 AM
- Palo alto can access internet via external interface and management interface, but not the internal interface.
- I have only one static route for 0.0.0.0/0 that goes to External Interface and the next hope is my modem ip address, metric is et to 10 and unicast is routing table.
- i am sourcing the traffice from the source zone, and
attached is the print screen from my details logs
09-05-2017 12:44 AM - edited 09-05-2017 12:45 AM
You natting your traffic to the 10.1.1.254, from the source ip 10.1.1.60? Why?
What is your external ip address? You have modem/router, right. Does it know how to get back to the networks behind the FW?
09-05-2017 12:48 AM
computer ip is 10.1.1.60
internal interface for paloalto is 10.1.1.254
external ip is 172.16.0.1
modem ip is 172.16.0.254
from CLI: Ping using the external interface ip as source works
ping source 172.16.0.1 host yahoo.com
PING yahoo.com (98.138.253.109) from 172.16.0.1 : 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=1 ttl=55 time=61.1 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=2 ttl=55 time=59.9 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=3 ttl=55 time=68.8 ms
but ping using internal ip doesn't work
09-05-2017 12:52 AM - edited 09-05-2017 12:52 AM
Ok, thanks. You need to configure your Palo to NAT all internal traffic to its External IP (172.16.0.1). In case you don't want to do that, then please add a static route on your router/modem pointing to the Palo external ip address (172.16.0.1) on how to reach 10.1.1.0/24 subnet.
09-05-2017 12:55 AM
Thanks, this does make sense, i really missed it from the lots of changes i have been through. Thanks again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
