@aleksandar.astardzhiev I was looking again at your screenshots I and for me the route, nat and rule on the palo alto are fine. This means you should see at least "pkt encap" counter to increase in the details for phase2 ---> I made few changes in security policy and NAT rule. PSB NAT RULE: i am initiating traffic from both end so i configured below rule If you try to send ping from the DMZ network behind the palo alto: do you see traffic logs? can you show the details? what about the "pkt encap", does this counter increase? --> I dont see any packet encap/decap counter increasing, so first i checked if PA can reach DMZ server or not and yes it is able to ping. admin@SITE-B-FIREWALL> ping source 172.16.4.254 host 172.16.4.10 PING 172.16.4.10 (172.16.4.10) from 172.16.4.254 : 56(84) bytes of data. 64 bytes from 172.16.4.10: icmp_seq=1 ttl=64 time=0.916 ms 64 bytes from 172.16.4.10: icmp_seq=2 ttl=64 time=0.827 ms 64 bytes from 172.16.4.10: icmp_seq=3 ttl=64 time=0.902 ms 64 bytes from 172.16.4.10: icmp_seq=4 ttl=64 time=1.00 ms 64 bytes from 172.16.4.10: icmp_seq=5 ttl=64 time=0.715 ms ^C --- 172.16.4.10 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4001ms rtt min/avg/max/mdev = 0.715/0.873/1.008/0.103 ms While i was pinging from DMZ server(172.16.4.10 to NAT IP of CP side 10.168.1.1, which i was unable to ping) , i dont see any packet encap/decap counter increasing not any security logs as well. Do i need to reconfigure NAT rule if packet encap counter not increasing ??
... View more