Cisco-PA on GNS3

Johnson_Mo · ‎08-10-2023

I am trying to get more familiar with Palo Alto version 9.0... I downloaded it on GNS3 and trying to build up site to site VPN with cisco 7200. When I connect the cisco 7200 to PA on same subnet, Both sides can not ping each other. on PA side, I enabled ping by adding the interface to a profile and enabling ping. I know FW has ICMP disabled by default, but do I need access-list allow ICMP on cisco even thought it is on the same network as the PA?

thank you

Flavio Miranda · ‎08-10-2023

Hi @Johnson_Mo

Cisco device, except Firewall, does not requires permission for ICMP. You can test it by adding another 7200 on the topology and ping each other.

Johnson_Mo · ‎08-10-2023

hi@ Flavio Miranda ,

thanks for the quick response! yes we do not need to enable ICMP when we have similar FWs. I am talking about Palo alto-Cisco. I was wondering if any one has configured PA-Cisco before on same subnet.

settings on PA interface:

admin@PA-VM> show interface ethernet1/1

--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: 10000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 0c:cb:84:86:00:01
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 192.168.5.2/24
Interface management profile: managment
ping: yes telnet: yes ssh: no http: yes https: yes
snmp: no response-pages: yes userid-service: no
Service configured: OSPF
Zone: OSPF, virtual system: vsys1
Adjust TCP MSS: no
Policing: no

on cisco:

R1#show interfaces fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140, address is ca01.2340.0000 (bia ca01.2340.0000)
Internet address is 192.168.5.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
650 packets output, 64369 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Flavio Miranda · ‎08-10-2023

I was actually refering to any device and Cisco. I never configured specificly Palo Alto but different vendors already and the behavior I´ve been seing with cisco devices is the same. If you have ip address on the interface and direct connectivity it will reply ICMP.

Never saw any limitation on this before. What you can do is ping from firewall to Cisco and enable debug on the cisco side. If the ICMP is reaching Cisco you will see it.

debug ip icmp

terminal monitor

Johnson_Mo · ‎08-10-2023

I did try it with connecting another 7200 cisco to 7200, and ping works fine. I tried ping between two Palo Alto, ping works fine.

on the security zone of the Palo Alto, ping is allowed and I can see packets hitting the policy, yet it does not hit cisco 7200. debug icmp on cisco is enabled as well.