cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
819
Views
0
Helpful
4
Replies

Cisco-PA on GNS3

Johnson_Mo
Level 1
Level 1

I am trying to get  more familiar with Palo Alto version 9.0... I downloaded it on GNS3 and trying to build up site to site VPN with cisco 7200. When I connect the cisco 7200 to PA on same subnet, Both sides can not ping each other. on PA side, I enabled ping by adding the interface to a profile and enabling ping. I know FW has ICMP disabled by default, but do I need access-list allow ICMP on cisco even thought it is on the same network as the PA?  

 

 

thank you 

4 Replies 4

Hi @Johnson_Mo 

 Cisco device, except Firewall, does not requires permission for ICMP. You can test it by adding another 7200 on the topology and ping each other.

hi@ Flavio Miranda ,

thanks for the quick response! yes we do not need to enable ICMP when we have similar FWs. I am talking about Palo alto-Cisco. I was wondering if any one has configured PA-Cisco before on same subnet. 

 

 

settings on PA interface:

admin@PA-VM> show interface ethernet1/1

--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: 10000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 0c:cb:84:86:00:01
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 192.168.5.2/24
Interface management profile: managment
ping: yes telnet: yes ssh: no http: yes https: yes
snmp: no response-pages: yes userid-service: no
Service configured: OSPF
Zone: OSPF, virtual system: vsys1
Adjust TCP MSS: no
Policing: no

 

 

on cisco:

R1#show interfaces fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140, address is ca01.2340.0000 (bia ca01.2340.0000)
Internet address is 192.168.5.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
650 packets output, 64369 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

 

I was actually refering to any device and Cisco. I never configured specificly Palo Alto but different vendors already and the behavior I´ve been seing with cisco devices is the same. If you have ip address on the interface and direct connectivity it will reply ICMP.

 Never saw any limitation  on this before. What you can do is ping from firewall to Cisco and enable debug on the cisco side. If the ICMP is reaching Cisco you will see it.

debug ip icmp

terminal monitor

I did try it with connecting another 7200 cisco to 7200, and  ping works fine. I tried ping between two Palo Alto, ping works fine. 

on the security zone of the Palo Alto, ping is allowed and I can see packets hitting the policy, yet it does not hit cisco 7200. debug icmp on cisco is enabled as well. 

aliarkawazi_0-1691700428137.png