cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


360
Views
0
Helpful
20
Replies
Beginner

Re: Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

10.16.40.199 lives on interface DMZ-2 off of the ASA.

 

If I understand you correctly, you're saying I might need an access-list permitting traffic into dmz-2 from palo_vpn, right? Well, I do have an acl for this that permits anything...

Beginner

Re: Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

I think you have an Access-List applied on DMZ-2 interface in direction.

Can you check that as well?

Is there any VPN filter configured?

 

HTH

Beginner

Re: Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

Hmm, there is no rule with a source of DMZ-2 to Palo_VPN. Are you implying one is required?

 

I'm not familiar with ASA vpn filters. How would I check for this. Thank you

Beginner

Re: Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

here are the rules under the "site-to-site" ACL manager:

Beginner

Re: Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

If there is no rule then why your earlier image showed drop on the in direction to DMZ-2 interface?

ANOTHERDENIAL.JPEG

 

This means that traffic originating from 10.16.40.199 coming in to DMZ-2 is denied. 

 

can you check is there any ACL applied to DMZ-2 inbound direction. 

 

To clear you ASA works on Interface basis ACL IN/OUT direction not with Zone Pair like other vendors. 

 

HTH

Beginner

Re: Site to Site IPSEC Tunnel between ASA5510 and Palo Alto 820

I'm a little confused.

Traffic wouldn't originate from 10.16.40.199 and be destined for DMZ-2 because 10.16.40.199 is in DMZ-2.

I believe the rule in my last snapshot would permit traffic into DMZ-2.

 

I understand. Thanks for the clarification.