Palo Alto Networks Knowledgebase: Unable to reach server's public IP address
Unable to reach server's public IP address
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:39 PM
Unable to reach the server's public IP address.
a second public range is configured on interface e1/2 while physical host is located on e1/3
NAT rules are configured from untrust to untrust.
The server's public IP address is in the same address space as the IP address of another interface on the Palo Alto Networks firewall. Example: e1/1, zone untrust, public IP 126.96.36.199/24 e1/2, zone DMZ-Public, IP 188.8.131.52/24 e1/3, zone DMZ-Private, IP 192.168.1.1/24 (server is connected to e1/3, public IP 184.108.40.206/24, private IP 192.168.1.2/24) NAT policy set for "untrust zone to untrust zone".
The firewall sees the ingress traffic's destination IP address (220.127.116.11) as destined for the "DMZ-Public" zone.
This is because a route lookup returns DMZ-Public as the destination zone for 18.104.22.168/24.
However, the policy specifies that traffic from "untrust to untrust" is allowed. Therefore, the traffic is dropped.
Edit the NAT policy.
Change the destination zone to "DMZ-Public". Changing the destination zone from "untrust" to "DMZ-Public" causes the ingress traffic to properly match source and destination zone, based on route lookups