Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Access PA-440 MGMT Interface via Cisco Switch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Access PA-440 MGMT Interface via Cisco Switch

L0 Member

Hi Guys,

I am working with below scenario and would like some help.

 

Janmejay_Dave_1-1687412475430.png

As shown in diagram:

A cisco switch IE3400 is connected with PA-440 with trunk connection and also one of the interface of switch is connected to MGMT port of PA-440.

There are multiple VLANs in the network but I showed only the relevant in this case.

Cisco Switch has Vlan 103 ip address 192.168.1.166 and gateway is 192.168.1.161 which is the IP address of Vlan subinterface of PA-440.

PA-440 MGMT port has IP 192.168.1.173/28 and G/W 192.168.1.161.

I am trying to access the MGMT port from my laptop having IP address (VLAN 110) 192.168.1.254 and G/W 192.168.1.253 which is the IP of subinterface Vlan 110 of PA-440.

 

From my laptop. I can ping the 192.168.1.166, 192.168.1.161 and 192.168.1.253 but I can not ping 192.168.1.173.

I configured SPAN at the interface connecting to Switch to PA-440 and I can see in WireShark that the ping request going to MGMT port but it is not responding back.

 

I am pretty sure that it is something to do with PA-440 and not Cisco.

 

Does anyone has any idea why it is happening?

Is it even possible to do this way?

Is the issue the same Vlan on MGMT and on Interface level, where the default gateway of MGMT port is same as the IP address of Vlan 103 subinterface in PA-440?

 

Regards,

 

1 REPLY 1

L4 Transporter

Hi there,

What does the mac address table and IP ARP table look like on the switch for VLAN 103 ? Do the details of the Palo Alto MGMT interface appear? Likewise, what does the ARP table on the firewall look like (show arp management), can you see the details for the PA VLAN103 sub-interface? What can you ping from the management interface?

 

Finally, does the management interface have an Allowed IP list configured?

 

cheers,

Seb.

  • 1339 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!