Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

Reply
Susan_Avxt
L1 Bithead

Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

Susan_Avxt_1-1608101823548.png

 

My PA-VM is AWS EC2 instance using software version 10.0.2. 

10.20.10/24 is VPC's public subnet, 10.20.61/24 is VPC's private subnet. Ubuntu10.20.61.81 can ping 10.20.61.61, but can't ping 10.20.10.0/24 network. 

Ubuntu 10.60.0.100 can ping 10.20.61.61, but can't ping 10.20.61.81. I have allow 10.60.0.0/24 in the ubuntu10_20_61_81 Security Group.

What do I miss for the configuration?


Accepted Solutions
Susan_Avxt
L1 Bithead

I found the issue. I need to set "change Sourece/Dest. Check" disable on the Network Interfaces. 

View solution in original post


All Replies
laurence64
L2 Linker

Difficult one to see without looking at the configurations, firstly I would check.

  1. routing (both sides)
  2. Rules (both sides)
  3. zone configuration 

 

Am happy to help should you need any further assistance.

PCCSA PCNSA PCNSE
Susan_Avxt
L1 Bithead

Thanks, Laurence64.

Following is the information.

PA-VM side:

routing

 

min@PA-VM> show routing route
VIRTUAL ROUTER: vr1 (id 1)
==========ive, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.20.10.1 10 A S ethernet1/1
10.20.0.0/16 10.20.61.61 10 A S ethernet1/2
10.20.10.0/24 10.20.10.50 0 A C ethernet1/1
10.20.10.50/32 0.0.0.0 0 A H
10.20.61.0/24 10.20.61.61 0 A C ethernet1/2
10.20.61.61/32 0.0.0.0 0 A H
10.60.0.0/24 0.0.0.0 10 A S tunnel.1
total routes shown: 7

 

Rule: I have permitall

Susan_Avxt_0-1608140769769.png

Zone:

Susan_Avxt_1-1608140839934.png

 

 

Ubuntu side

routing

ubuntu@ip-10-20-61-81:~$ ip route
default via 10.20.61.1 dev eth0 proto dhcp src 10.20.61.81 metric 100
10.20.61.0/24 dev eth0 proto kernel scope link src 10.20.61.81
10.20.61.1 dev eth0 proto dhcp scope link src 10.20.61.81 metric 100

 

ubuntu@ip-10-20-61-81:~$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 102 packets, 8410 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 95 packets, 8894 bytes)
pkts bytes target prot opt in out source destination

 

Susan_Avxt
L1 Bithead

I found the issue. I need to set "change Sourece/Dest. Check" disable on the Network Interfaces. 

View solution in original post

laurence64
L2 Linker

Hi

 

Many apologies for the massive delay in getting back to you over this, indeed yes you have to remove the src/dest check in AWS, glad you found the issue.

PCCSA PCNSA PCNSE
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!