I am attempting to replace a backup internet connection.
Basic Topology: Palo Alto PA-850 <--> Cisco 4321 <--> Internet
Sanitized config (IPs aren't the ones I'm working with:
**Palo Alto PA-850**
Eth1/1 - 10.100.10.1 (Inside)
Eth1/4 - 10.254.10.2 (Outside)
Virtual Router
Destination: 0.0.0.0/0
Interface: Eth1/4
Next Hop (Value): 10.254.10.1
**Cisco 4321**
interface GigabitEthernet0/0/1
description Connection to Palo Alto
ip address 10.254.10.1 255.255.255.0
ip nat inside
negotiation auto
end
interface GigabitEthernet0/0/0
description Internet
ip address 22.25.22.14 255.255.255.252
ip nat outside
negotiation auto
port-tagging
encapsulation dot1q 67
set cos 0
end
ip route 0.0.0.0 0.0.0.0 22.25.22.13
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip access-list extended 100
10 permit ip any any
From the Palo Alto command line, I am attempting to test connectivity from Eth1/4 all the way through and am only getting to GI0/0/1 of the Cisco 4321.
ping source 10.254.10.2 host 10.254.10.1 (successful)
ping source 10.254.10.2 host 22.25.22.14 (unsuccessful)
ping source 10.254.10.2 host 22.25.22.13 (unsuccessful)
For testing purposes, I hooked up a workstation to GI0/0/1 on the 4321 and assigned it 10.254.10.2 and was able to get to the internet without a problem. Since NAT is being done on the router, I wouldn't think it necessary on the firewall so as to avoid a double NAT. For kicks, I did put a NAT policy in and still had the same results.
I'm not sure what I'm missing. I would appreciate any insight to help guide me in the right direction. Thank you in advance!
No comments:
Post a Comment