This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

Go to solution
Susan_Avxt
L1 Bithead

‎12-15-2020 11:09 PM

Susan_Avxt_1-1608101823548.png

 

My PA-VM is AWS EC2 instance using software version 10.0.2. 

10.20.10/24 is VPC's public subnet, 10.20.61/24 is VPC's private subnet. Ubuntu10.20.61.81 can ping 10.20.61.61, but can't ping 10.20.10.0/24 network. 

Ubuntu 10.60.0.100 can ping 10.20.61.61, but can't ping 10.20.61.81. I have allow 10.60.0.0/24 in the ubuntu10_20_61_81 Security Group.

What do I miss for the configuration?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Susan_Avxt
L1 Bithead
In response to Susan_Avxt

‎12-16-2020 09:49 PM

I found the issue. I need to set "change Sourece/Dest. Check" disable on the Network Interfaces. 

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
laurence64
L4 Transporter

‎12-16-2020 01:09 AM

Difficult one to see without looking at the configurations, firstly I would check.

  1. routing (both sides)
  2. Rules (both sides)
  3. zone configuration 

 

Am happy to help should you need any further assistance.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes

Go to solution
Susan_Avxt
L1 Bithead
In response to laurence64

‎12-16-2020 09:54 AM

Thanks, Laurence64.

Following is the information.

PA-VM side:

routing

 

min@PA-VM> show routing route
VIRTUAL ROUTER: vr1 (id 1)
==========ive, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.20.10.1 10 A S ethernet1/1
10.20.0.0/16 10.20.61.61 10 A S ethernet1/2
10.20.10.0/24 10.20.10.50 0 A C ethernet1/1
10.20.10.50/32 0.0.0.0 0 A H
10.20.61.0/24 10.20.61.61 0 A C ethernet1/2
10.20.61.61/32 0.0.0.0 0 A H
10.60.0.0/24 0.0.0.0 10 A S tunnel.1
total routes shown: 7

 

Rule: I have permitall

Susan_Avxt_0-1608140769769.png

Zone:

Susan_Avxt_1-1608140839934.png

 

 

Ubuntu side

routing

ubuntu@ip-10-20-61-81:~$ ip route
default via 10.20.61.1 dev eth0 proto dhcp src 10.20.61.81 metric 100
10.20.61.0/24 dev eth0 proto kernel scope link src 10.20.61.81
10.20.61.1 dev eth0 proto dhcp scope link src 10.20.61.81 metric 100

 

ubuntu@ip-10-20-61-81:~$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 102 packets, 8410 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 95 packets, 8894 bytes)
pkts bytes target prot opt in out source destination

 

0 Likes Likes

Go to solution
Susan_Avxt
L1 Bithead
In response to Susan_Avxt

‎12-16-2020 09:49 PM

I found the issue. I need to set "change Sourece/Dest. Check" disable on the Network Interfaces. 

0 Likes Likes

Go to solution
laurence64
L4 Transporter
In response to Susan_Avxt

‎01-05-2021 12:34 PM

Hi

 

Many apologies for the massive delay in getting back to you over this, indeed yes you have to remove the src/dest check in AWS, glad you found the issue.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes
  • 1 accepted solution
  • 3099 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks