How to enable Ping on ISP interface with Dynamic IP?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to enable Ping on ISP interface with Dynamic IP?

L4 Transporter

Hi folks,

 

As I continue my baby step learning, I am successfully using a PA-200 to access the internet from my internal clients.

I am now trying to understand how to enable ping (at least temporarily) on my 1/1 Untrust-L3 interface.  I like to be able to ping it from anywhere on the web for troubleshooting and learning purposes.

 

I am following this article and assigning a ping enabled profile to my interface.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-Ping-and-ICMP-on-Layer-3-In...

 

Still unable to ping the public ip address.  Am I missing a security rule for ping specifically?

 

Created a management profile for ping.

ping1.jpg

 

Assigned it to my Public interface.

ping2.jpg

Interface gets its IP from ISP via DHCP.  I am trying to ping the public IP address from laptop, 192.168.32.13.

ping3.jpg

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

pinging the external interface from an internal IP is also a little more complex than it may sound

 

one of the first things that will happen is that your ping is going to hit a NAT rule as it is outbound, so will hit your trust to untrust NAT rule, meaning your source IP will be changed into the interface IP

 

What happens next, is what makes it more tricky: your translated packet will have the same source and destination IP address, which is technically a LAND attack (because this could cause a loop where a host is constantly replying to itself) so the packet is discarded

To fix this issue you should add a NAT policy above the outbound policy specifically for your external IP where you perform no NAT at all. With a static IP this is a piece of cake as you can easily set a destination IP address, for a dynamic IP this is not possible, so you will need some sort of dynDNS servie which you can add to the firewall as a FQDN object

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

L6 Presenter

Heys,

 

You have configured your local ip address  (private) to be allowed to send ping requests to the outside interface (with external ip address). This won't work. Please remove your ACL entry and leave it blank. intrazone-default policy in conjunction with mgmt profile will take care of your ping requests:

 

INT.PNG

Cyber Elite
Cyber Elite

pinging the external interface from an internal IP is also a little more complex than it may sound

 

one of the first things that will happen is that your ping is going to hit a NAT rule as it is outbound, so will hit your trust to untrust NAT rule, meaning your source IP will be changed into the interface IP

 

What happens next, is what makes it more tricky: your translated packet will have the same source and destination IP address, which is technically a LAND attack (because this could cause a loop where a host is constantly replying to itself) so the packet is discarded

To fix this issue you should add a NAT policy above the outbound policy specifically for your external IP where you perform no NAT at all. With a static IP this is a piece of cake as you can easily set a destination IP address, for a dynamic IP this is not possible, so you will need some sort of dynDNS servie which you can add to the firewall as a FQDN object

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I was thinking yesterday about this but could not explain it in the right way. Yes ping definitely fails if you are initiating a request from the internal zone. Just tested!

:

 

LAND.PNG

Thank you for the feedback!  Will close this thread this week.

  • 1 accepted solution
  • 6399 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!