How to enable Ping on ISP interface with Dynamic IP?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

How to enable Ping on ISP interface with Dynamic IP?

Hi folks,

 

As I continue my baby step learning, I am successfully using a PA-200 to access the internet from my internal clients.

I am now trying to understand how to enable ping (at least temporarily) on my 1/1 Untrust-L3 interface.  I like to be able to ping it from anywhere on the web for troubleshooting and learning purposes.

 

I am following this article and assigning a ping enabled profile to my interface.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-Ping-and-ICMP-on-Layer-3-In...

 

Still unable to ping the public ip address.  Am I missing a security rule for ping specifically?

 

Created a management profile for ping.

ping1.jpg

 

Assigned it to my Public interface.

ping2.jpg

Interface gets its IP from ISP via DHCP.  I am trying to ping the public IP address from laptop, 192.168.32.13.

ping3.jpg

 


Accepted Solutions
Highlighted
L7 Applicator

pinging the external interface from an internal IP is also a little more complex than it may sound

 

one of the first things that will happen is that your ping is going to hit a NAT rule as it is outbound, so will hit your trust to untrust NAT rule, meaning your source IP will be changed into the interface IP

 

What happens next, is what makes it more tricky: your translated packet will have the same source and destination IP address, which is technically a LAND attack (because this could cause a loop where a host is constantly replying to itself) so the packet is discarded

To fix this issue you should add a NAT policy above the outbound policy specifically for your external IP where you perform no NAT at all. With a static IP this is a piece of cake as you can easily set a destination IP address, for a dynamic IP this is not possible, so you will need some sort of dynDNS servie which you can add to the firewall as a FQDN object

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L6 Presenter

Heys,

 

You have configured your local ip address  (private) to be allowed to send ping requests to the outside interface (with external ip address). This won't work. Please remove your ACL entry and leave it blank. intrazone-default policy in conjunction with mgmt profile will take care of your ping requests:

 

INT.PNG

Highlighted
L7 Applicator

pinging the external interface from an internal IP is also a little more complex than it may sound

 

one of the first things that will happen is that your ping is going to hit a NAT rule as it is outbound, so will hit your trust to untrust NAT rule, meaning your source IP will be changed into the interface IP

 

What happens next, is what makes it more tricky: your translated packet will have the same source and destination IP address, which is technically a LAND attack (because this could cause a loop where a host is constantly replying to itself) so the packet is discarded

To fix this issue you should add a NAT policy above the outbound policy specifically for your external IP where you perform no NAT at all. With a static IP this is a piece of cake as you can easily set a destination IP address, for a dynamic IP this is not possible, so you will need some sort of dynDNS servie which you can add to the firewall as a FQDN object

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Highlighted
L6 Presenter

I was thinking yesterday about this but could not explain it in the right way. Yes ping definitely fails if you are initiating a request from the internal zone. Just tested!

:

 

LAND.PNG

Highlighted
L4 Transporter

Thank you for the feedback!  Will close this thread this week.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!