Here's the rules I have now, in this order: src-zone: Wifi --> dst-zone: Remote, any source ip, any destination ip, any service, any application, allow (no profile) src-zone: Remote --> dst-zone: Wifi, any source ip, any destination ip, any service, any application, allow (no profile) src-zone: External --> dst-zone: External, <PAN public IP>, <Cisco Public IP>, any service, any application, allow (no profile) src-zone: Wifi -> dst-zone: External, any source ip, any destination ip, any service, any application, allow (no profile) src-zone: any -> dst-zone: any, any source ip, any destination ip, any service, any application, Deny (no profile) From a client behind the Cisco, I can ping the PAN's inside IP (172.168.1.1) but not a client behind the PAN (172.168.1.10) From a client behind the PAN, I can't ping the Cisco internal IP (10.5.1.1 which is pingable from internal) , or the client behind it (10.5.1.25) tracert from behind the PAN goes outside (both by looking at IPs and from checking traffic log on the PAN) traceroute from behind the Cisco never completes, but doesn't go outside. Ping from behind the Cisco to the PAN logs as Remote-to-Wifi rule in the PAN.
... View more