This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to enable Ping on ISP interface with Dynamic IP?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to enable Ping on ISP interface with Dynamic IP?

Go to solution
OMatlock
L4 Transporter

‎04-02-2017 03:15 PM

Hi folks,

 

As I continue my baby step learning, I am successfully using a PA-200 to access the internet from my internal clients.

I am now trying to understand how to enable ping (at least temporarily) on my 1/1 Untrust-L3 interface.  I like to be able to ping it from anywhere on the web for troubleshooting and learning purposes.

 

I am following this article and assigning a ping enabled profile to my interface.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-Ping-and-ICMP-on-Layer-3-In...

 

Still unable to ping the public ip address.  Am I missing a security rule for ping specifically?

 

Created a management profile for ping.

ping1.jpg

 

Assigned it to my Public interface.

ping2.jpg

Interface gets its IP from ISP via DHCP.  I am trying to ping the public IP address from laptop, 192.168.32.13.

ping3.jpg

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎04-03-2017 02:26 AM

pinging the external interface from an internal IP is also a little more complex than it may sound

 

one of the first things that will happen is that your ping is going to hit a NAT rule as it is outbound, so will hit your trust to untrust NAT rule, meaning your source IP will be changed into the interface IP

 

What happens next, is what makes it more tricky: your translated packet will have the same source and destination IP address, which is technically a LAND attack (because this could cause a loop where a host is constantly replying to itself) so the packet is discarded

To fix this issue you should add a NAT policy above the outbound policy specifically for your external IP where you perform no NAT at all. With a static IP this is a piece of cake as you can easily set a destination IP address, for a dynamic IP this is not possible, so you will need some sort of dynDNS servie which you can add to the firewall as a FQDN object

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Go to solution
TranceforLife
L6 Presenter

‎04-02-2017 03:44 PM - edited ‎04-02-2017 03:57 PM

Heys,

 

You have configured your local ip address  (private) to be allowed to send ping requests to the outside interface (with external ip address). This won't work. Please remove your ACL entry and leave it blank. intrazone-default policy in conjunction with mgmt profile will take care of your ping requests:

 

INT.PNG

Go to solution
reaper
Cyber Elite
Cyber Elite

‎04-03-2017 02:26 AM

pinging the external interface from an internal IP is also a little more complex than it may sound

 

one of the first things that will happen is that your ping is going to hit a NAT rule as it is outbound, so will hit your trust to untrust NAT rule, meaning your source IP will be changed into the interface IP

 

What happens next, is what makes it more tricky: your translated packet will have the same source and destination IP address, which is technically a LAND attack (because this could cause a loop where a host is constantly replying to itself) so the packet is discarded

To fix this issue you should add a NAT policy above the outbound policy specifically for your external IP where you perform no NAT at all. With a static IP this is a piece of cake as you can easily set a destination IP address, for a dynamic IP this is not possible, so you will need some sort of dynDNS servie which you can add to the firewall as a FQDN object

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
TranceforLife
L6 Presenter
In response to reaper

‎04-03-2017 02:41 AM

I was thinking yesterday about this but could not explain it in the right way. Yes ping definitely fails if you are initiating a request from the internal zone. Just tested!

:

 

LAND.PNG

Go to solution
OMatlock
L4 Transporter
In response to TranceforLife

‎04-04-2017 11:07 AM

Thank you for the feedback!  Will close this thread this week.

0 Likes Likes
  • 1 accepted solution
  • 7561 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks