Solved

palo alto to ASA - cant ping

Posted on 2014-10-11
4
702 Views
Last Modified: 2014-11-01
Hi, on a PA3020 I have connected a cat5 cable for a  site to site connection, and the other side has a Cisco ASA5505 with the base license.

On the PAN i have configured a layer3 interface, with ip 192.168.187.2, and on the ASA i have configured ip 192.168.187.1

I have created a virtual router, without any routes on the palo, and a new zone "site-to-site", where the interface 1/10 is assigned

i have created a rule to allow all traffic from "site-to-site" zone to "site-to-site"

When the ASA tries to ping PAN, i can see the packet as "allowed" in the Palo, but it does not send a ping response. Also from the Palo, I can not ping the ASA. I am attaching a screenshot to illustrate..

monitor
On the ASA side, the interface is configured in a vlan "site-to-site"

both the Palo and the ASA are also used for other internet connections and they work properly, but for the site-to-site link I am encountering this problem.

I also do not see arp entries on either side.

any ideas what could be the issue?

Thanks
0
Comment
Question by:sk391
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375065
On the PAN side, did you create an interface mgmt profile which allows PING and attach it to the the interface you are trying to ping from the ASA?
0
 
LVL 1

Accepted Solution

by:
sk391 earned 0 total points
ID: 40375068
yeah i did that.

turns out the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.

Thanks
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375069
Great. Glad you got it working.
0
 
LVL 1

Author Closing Comment

by:sk391
ID: 40416986
the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now