Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

palo alto to ASA - cant ping

Posted on 2014-10-11
4
Medium Priority
?
994 Views
Last Modified: 2014-11-01
Hi, on a PA3020 I have connected a cat5 cable for a  site to site connection, and the other side has a Cisco ASA5505 with the base license.

On the PAN i have configured a layer3 interface, with ip 192.168.187.2, and on the ASA i have configured ip 192.168.187.1

I have created a virtual router, without any routes on the palo, and a new zone "site-to-site", where the interface 1/10 is assigned

i have created a rule to allow all traffic from "site-to-site" zone to "site-to-site"

When the ASA tries to ping PAN, i can see the packet as "allowed" in the Palo, but it does not send a ping response. Also from the Palo, I can not ping the ASA. I am attaching a screenshot to illustrate..

monitor
On the ASA side, the interface is configured in a vlan "site-to-site"

both the Palo and the ASA are also used for other internet connections and they work properly, but for the site-to-site link I am encountering this problem.

I also do not see arp entries on either side.

any ideas what could be the issue?

Thanks
0
Comment
Question by:sk391
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375065
On the PAN side, did you create an interface mgmt profile which allows PING and attach it to the the interface you are trying to ping from the ASA?
0
 
LVL 1

Accepted Solution

by:
sk391 earned 0 total points
ID: 40375068
yeah i did that.

turns out the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.

Thanks
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375069
Great. Glad you got it working.
0
 
LVL 1

Author Closing Comment

by:sk391
ID: 40416986
the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question