Solved

palo alto to ASA - cant ping

Posted on 2014-10-11
4
756 Views
Last Modified: 2014-11-01
Hi, on a PA3020 I have connected a cat5 cable for a  site to site connection, and the other side has a Cisco ASA5505 with the base license.

On the PAN i have configured a layer3 interface, with ip 192.168.187.2, and on the ASA i have configured ip 192.168.187.1

I have created a virtual router, without any routes on the palo, and a new zone "site-to-site", where the interface 1/10 is assigned

i have created a rule to allow all traffic from "site-to-site" zone to "site-to-site"

When the ASA tries to ping PAN, i can see the packet as "allowed" in the Palo, but it does not send a ping response. Also from the Palo, I can not ping the ASA. I am attaching a screenshot to illustrate..

monitor
On the ASA side, the interface is configured in a vlan "site-to-site"

both the Palo and the ASA are also used for other internet connections and they work properly, but for the site-to-site link I am encountering this problem.

I also do not see arp entries on either side.

any ideas what could be the issue?

Thanks
0
Comment
Question by:sk391
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375065
On the PAN side, did you create an interface mgmt profile which allows PING and attach it to the the interface you are trying to ping from the ASA?
0
 
LVL 1

Accepted Solution

by:
sk391 earned 0 total points
ID: 40375068
yeah i did that.

turns out the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.

Thanks
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375069
Great. Glad you got it working.
0
 
LVL 1

Author Closing Comment

by:sk391
ID: 40416986
the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
increase internet speed 3 94
Cisco ASA 5506 4 54
Which the best UTM recommended ? 2 95
ASA - RV130 VPN tunnel, cannot pass traffic 8 68
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question