Unable to Ping the Untrust Address, but Able to Ping Public IPs from Untrust Address

Unable to Ping the Untrust Address, but Able to Ping Public IPs from Untrust Address

29012
Created On 09/26/18 13:50 PM - Last Modified 06/13/23 03:02 AM


Resolution


Issue

The Palo Alto Networks firewall has an interface configured for an ISP address (ISP1) in the Untrust Zone. This ISP address is not reachable from any public IP ( X.X.X.X) coming from the untrust zone. However, when a ping is sourced from the ISP1 address to the X.X.X.X, it works fine.

 

Cause

There is a NAT rule on the Palo Alto Networks firewall from source zone Untrust to destination zone Untrust, which NATs all the source traffic to the ISP1 address. When the traffic comes in from X.X.X.X to ISP1, the X.X.X.X is NATed to ISP1 address since it is Untrust to Untrust traffic. The firewall sees the traffic coming in from ISP1 and destined to ISP1, and hence drops the traffic as a LAND attack.

 

When the traffic is sourced from the ISP1 to X.X.X.X, the traffic is Source NATed as ISP1 address and reaches the internet as ISP1. Thus, the same behavior is not observed.

 

Resolution

Remove the NAT rule which translates traffic coming from any public IP in the Untrust zone which is destined for the Untrust zone as the ISP address on the Palo Alto Networks firewall (ISP1, in this case).

 

owner: achalla
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language