Solved

palo alto to ASA - cant ping

Posted on 2014-10-11
4
726 Views
Last Modified: 2014-11-01
Hi, on a PA3020 I have connected a cat5 cable for a  site to site connection, and the other side has a Cisco ASA5505 with the base license.

On the PAN i have configured a layer3 interface, with ip 192.168.187.2, and on the ASA i have configured ip 192.168.187.1

I have created a virtual router, without any routes on the palo, and a new zone "site-to-site", where the interface 1/10 is assigned

i have created a rule to allow all traffic from "site-to-site" zone to "site-to-site"

When the ASA tries to ping PAN, i can see the packet as "allowed" in the Palo, but it does not send a ping response. Also from the Palo, I can not ping the ASA. I am attaching a screenshot to illustrate..

monitor
On the ASA side, the interface is configured in a vlan "site-to-site"

both the Palo and the ASA are also used for other internet connections and they work properly, but for the site-to-site link I am encountering this problem.

I also do not see arp entries on either side.

any ideas what could be the issue?

Thanks
0
Comment
Question by:sk391
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375065
On the PAN side, did you create an interface mgmt profile which allows PING and attach it to the the interface you are trying to ping from the ASA?
0
 
LVL 1

Accepted Solution

by:
sk391 earned 0 total points
ID: 40375068
yeah i did that.

turns out the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.

Thanks
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40375069
Great. Glad you got it working.
0
 
LVL 1

Author Closing Comment

by:sk391
ID: 40416986
the issue was that even though I created the new virtual router for this interface, i did not add the static route that was required in order to route 192.168.187.x packets to PAN interface 1/10. that was different compared to the ASA which does not need a static route when the hosts are on the same subnet.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Checkpoint books 3 72
VPN running on Windows 2008 Server 11 81
Cisco ASA 5505 Configuration Issue 8 58
VIRTUAL NETWORKING 3 35
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now