topic Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network in General Topics

Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

Susan_Avxt — Wed, 16 Dec 2020 07:09:01 GMT

My PA-VM is AWS EC2 instance using software version 10.0.2.

10.20.10/24 is VPC's public subnet, 10.20.61/24 is VPC's private subnet. Ubuntu10.20.61.81 can ping 10.20.61.61, but can't ping 10.20.10.0/24 network.

Ubuntu 10.60.0.100 can ping 10.20.61.61, but can't ping 10.20.61.81. I have allow 10.60.0.0/24 in the ubuntu10_20_61_81 Security Group.

What do I miss for the configuration?

Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

laurence64 — Wed, 16 Dec 2020 09:09:58 GMT

Difficult one to see without looking at the configurations, firstly I would check.

routing (both sides)
Rules (both sides)
zone configuration

Am happy to help should you need any further assistance.

Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

Susan_Avxt — Wed, 16 Dec 2020 17:54:24 GMT

Thanks, Laurence64.

Following is the information.

PA-VM side:

routing

min@PA-VM> show routing route
VIRTUAL ROUTER: vr1 (id 1)
==========ive, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.20.10.1 10 A S ethernet1/1
10.20.0.0/16 10.20.61.61 10 A S ethernet1/2
10.20.10.0/24 10.20.10.50 0 A C ethernet1/1
10.20.10.50/32 0.0.0.0 0 A H
10.20.61.0/24 10.20.61.61 0 A C ethernet1/2
10.20.61.61/32 0.0.0.0 0 A H
10.60.0.0/24 0.0.0.0 10 A S tunnel.1
total routes shown: 7

Rule: I have permitall

Zone:

Ubuntu side

routing

ubuntu@ip-10-20-61-81:~$ ip route
default via 10.20.61.1 dev eth0 proto dhcp src 10.20.61.81 metric 100
10.20.61.0/24 dev eth0 proto kernel scope link src 10.20.61.81
10.20.61.1 dev eth0 proto dhcp scope link src 10.20.61.81 metric 100

ubuntu@ip-10-20-61-81:~$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 102 packets, 8410 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 95 packets, 8894 bytes)
pkts bytes target prot opt in out source destination

Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

Susan_Avxt — Thu, 17 Dec 2020 05:49:26 GMT

I found the issue. I need to set "change Sourece/Dest. Check" disable on the Network Interfaces.

Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

laurence64 — Tue, 05 Jan 2021 20:34:35 GMT

Many apologies for the massive delay in getting back to you over this, indeed yes you have to remove the src/dest check in AWS, glad you found the issue.