01-04-2014 07:49 AM
Hello,
I have configured inside, outside and DMZ on the Palo Alto firewall. The outside interface is configured for Global Protect.
The default gateway of Palo Alto firewall is not reachable. But when we connect to that cable to ASA firewall we are able to ping gateway.
Please help us to troubleshooting the issue.
Regards,
Parvez
01-04-2014 08:15 AM
ParvezAhmad are you specifying the source of your pings as being the OUTSIDE interface of your PA that is facing your default gateway when you're doing your tests?
Example:
ping source 216.5.4.3 host 216.5.4.1
Also are you sure the PA firewall isn't blocking the pings? Do you have a policy rule defined that says "allow outside to outside" with App-ID ping?
Also as was previously mentioned if the PA has the same IP as the ASA you're testing with, it makes sense to force a gratuitous ARP to make sure the ARP cache on your default gateway device updates with the PA MAC address instead of the ASA MAC address.
01-04-2014 08:39 AM
Hi,
I tested by using ping host xxx.ccc.xxx.zzzz.
I am doing migration from ASA firewall to Palo Alto firewall. I am using the same cable to connect to Palo Alto outside interface E1/1.
01-04-2014 08:41 AM
Parvez do
ping source <your outside interface IP on your Palo Alto> host xxx.ccc.xxx.zzz
01-04-2014 08:45 AM
I believe after 180 seconds. It should remove automatically.
Or Do we remove it by Clear ip arp?
01-04-2014 08:48 AM
Firewall is not blocking the pings. Since there is policy as you mentioned.
Do you think that Global Protect Configuration can block this ping?
01-04-2014 08:49 AM
if you don't type source FW uses management interface for the ping command
01-04-2014 08:51 AM
Parvez: yes the ARP cache will eventually time out
Can you please try "ping source <your outside interface IP on your Palo Alto> host xxx.ccc.xxx.zzz" and let us know your results?
01-04-2014 08:53 AM
Right, what panos said is true, that's why I'm asking for the source parameter to be added to your ping command ParvezAhmad
01-04-2014 06:23 PM
What egearhart says is true. If you "ping host www.yahoo.com" , the default interface chosen is the management interface. If your WAN interface has an IP of 64.64.64.64, use this syntax, ping source 64.64.64.64 host <IP_ADDR_Nexthop_Rtr>. Then check the arp cache on the ethernet port that corresponds to 64.64.64.64. If you do not see an entry for your ISP next hop then they have probably done a static entry for your IP and MAC in the switch. I have no idea why they do this but it is fairly common in the USA.
SKrall
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
