Hi all,
i've connected a adsl modem to our 3020 to redirect some clients to, configured the interface as dhcp client, the port successfully gets an ip address from the modem but i can not ping the modem interface from firewall's cli. I might be missing a simple step but i'm fairly new with PA, any help appreciated, thank you
Sorry for not mentioning but i've already created a management profile with ping, ssh, telnet and http, and attached it to eth5
@Oseberg wrote:
Sorry for not mentioning but i've already created a management profile with ping, ssh, telnet and http, and attached it to eth5
First off: please don't attach this profile to your WAN interface, especially telnet and http are bad ideas to expose to the internet (they expose your management interface to the whole wide internet, unless you set strict security profiles)
I'd recommend setting up GlobalProtect for management tasks
You may need to create a specific NAT rule at the top of your NAT policy to not apply nat for any traffic from trust to untrust destined to your external IP as this may create a LAND attack
Typically your default NAT rule will hide trust ip subnet behind the untrust interface IP, for any internet bound traffic this is perfect. but when connecting directly to your external interface, your source ip (natted) wil match your destination ip (interface) exactly. This is called a LAND attack (typically an attacker will use source spoofing to force your interface to reply to itself, potentially causing a loop). Hence, any packets destined to an interface sourced from the same IP address will be dropped
for your ping this will mean it will be discarded as well
For a dynamic interface this could pose a challenge as you won't know what your IP will be in advance: you could create a policy on the spot or use a dynamic dns and set an FQDN
