07-21-2021 09:52 AM
I’m configuring a PA3220 for three external class C addresses we own (192.168.10.0/24, 192.168.11.0/24, and 192.168.14.0/24). We have two ISP Internet connections on two different campuses. We are using trunking to carry the different VLANs, so the outside networks are on the same physical interface. The inside network is on another physical interface. We have static routes setup for the two class C – 192.168.10.0 and 192.168.11.0. I tried to setup a static route for the other network, but that doesn’t work. See diagram.
I am able to get two of the class C addresses working correctly; however, I cannot get a ping response back from the third class C address (192.168.14.0/24) assigned to the PA from outside. I do get a response from a PC on the same network. I have a PC (192.168.14.250) in the third class C subnet that does respond to ping, so I know that the router is working correctly. I’m not sure if this is a routing issue with the PA or something else. Please let me know if I need to provide additional information.
07-21-2021 10:26 PM
@HamptonSaussy Is the vlan 107 allowed by your ISP s they might need to allow it on their devices for the vlan to work. You can also create vlan interface on switch in both campuses which will bypass the PA and then you can be sure it s not the firewall.
07-22-2021 09:45 AM
Thank you for your reply. Yes, the ISP is forwarding to that Vlan. I have a PC that is in the subnet (107) outside the firewall that I can ping. However, I cannot ping the address assigned to the PA interface. That's what is confusing. The PA doesn't show the ping in a capture either.
07-22-2021 11:02 PM
@HamptonSaussy Have another look if you have allowed the vlan on the trunk connecting to PA. You can also create and assign an IP from the subnet on the switch which trunks to PA, you rule out the ISP and focus locally first. You should be able ping from PA interface as source to the switch interface vlan 197 IP. Also when doing a ping to PA don't forget what and which IPs you allow in attached interface management profile.
07-23-2021 08:30 AM
The router is handling the trunk port and has a .1 address and the PA has a .2 address. From a PC with a .250 address, I can ping both .1 and .2 addresses. However, from outside that network, I can only ping the .1 address and the .250 address. The PA routing table has the 107 subnet pointing to the .1 address. The PA default route is pointing to vlan102. So, I believe the PA is handling the trunking. I'm thinking I may need PBF for this network.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
