10.16.40.199 lives on interface DMZ-2 off of the ASA.
If I understand you correctly, you're saying I might need an access-list permitting traffic into dmz-2 from palo_vpn, right? Well, I do have an acl for this that permits anything...
I think you have an Access-List applied on DMZ-2 interface in direction.
Can you check that as well?
Is there any VPN filter configured?
Hmm, there is no rule with a source of DMZ-2 to Palo_VPN. Are you implying one is required?
I'm not familiar with ASA vpn filters. How would I check for this. Thank you
If there is no rule then why your earlier image showed drop on the in direction to DMZ-2 interface?
This means that traffic originating from 10.16.40.199 coming in to DMZ-2 is denied.
can you check is there any ACL applied to DMZ-2 inbound direction.
To clear you ASA works on Interface basis ACL IN/OUT direction not with Zone Pair like other vendors.
I'm a little confused.
Traffic wouldn't originate from 10.16.40.199 and be destined for DMZ-2 because 10.16.40.199 is in DMZ-2.
I believe the rule in my last snapshot would permit traffic into DMZ-2.
I understand. Thanks for the clarification.