+ Reply to Thread
Results 1 to 6 of 6
  1. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    2,051

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #1

    Default Site to Site VPN issue (Palo Alto to Cisco ASA)

    Wondering if anyone has had experience with this issue. We have been trying to set up a VPN (site to site) from a Palo Alto to a Cisco ASA. The tunnel is up but we can't ping externally to off-site. We have the policies in place. We are scratching our heads... any advice?
    Never let your fear decide your fate....
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jul 2016
    Posts
    315

    Certifications
    CCNA R&S
    #2
    Can you ping the tunnel endpoint?
    Reply With Quote Quote  

  4. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,727

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #3
    @Welly - there's no tunnel like a tunnel interface. They can test IP reachability from the physical interface point of view for the outside interface but that's it.

    I can't help from a PAN point of view but how do the proxy IDs look on the ASA? You didn't send blanket 0.0.0.0/0 proxy IDs over, did you? Are the subnets that are being shared looking good? Did both ISAKMP and IPSec come up correctly? Have you done a debug of the both for the tunnel? Have you enabled logging on the ASA and checked what's happening?
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  5. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    2,051

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #4
    We don't have access to the ASA. It is at another site.
    Our IPsec tunnel is up. We used to be able to ping their external network . Last week that all changed and we can't ping them. the people who we need to talk to were on vacation all week. Now, we can't ping and it just hangs. I contacted Palo Alto and they said if our tunnel is up, then it is on the ASA side. I guess we will find out Tuesday when we are all back from the holiday...
    Never let your fear decide your fate....
    Reply With Quote Quote  

  6. Member
    Join Date
    Feb 2014
    Posts
    98

    Certifications
    CCNA:R&S/Security, ITIL:F, MCSA: Windows Server 2016
    #5
    Why are you trying to ping their external network? In order to test tunnel connectivity you should try to connect from your private subnet to the remote subnet on the ASA's end. Ping may not work if ICMP inspection is turned off on the ASA end. Can you try to RDP or http/https page on the remote subnet?
    Reply With Quote Quote  

  7. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    2,051

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #6
    The ASA end had ACLs that were blocking us. We can ping each other.
    Never let your fear decide your fate....
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks