Unable to Ping External Interface from an Internal Address

Unable to Ping External Interface from an Internal Address

34308
Created On 09/26/18 13:54 PM - Last Modified 06/13/23 16:35 PM


Resolution


Issue

Source NAT is configured and it's not possible to ping an external interface from an internal host.

 

Cause

Pinging from an internal host to an external interface when using source NAT is an incorrect test method.  Packets are dropped since the source address is the external address of the firewall and the destination address is the same.  Packets are dropped by a security measure called a LAND attack.

 

In the CLI, global counters can reveal any LAND attacks caused by misconfigured NAT rules :

> show counter global filter packet-filter yes | match nat_land

flow_policy_nat_land   drop      Session setup: source NAT IP allocation result in LAND attack

 

Resolution

  1. Create Address Object for External IP.

step.1.JPG

2. Create a rule with No Translation for traffic destined for that IP Address.

step.2.JPG

 

owner:  nayubi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0ICAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language