Thank you for replying.

What can i do to reach the Outside interface on the FW? (192.168.11.3)

Hello,

--> I am unable to ping the inside interface on a Cisco device from my Home network.

--> What can i do to reach the Outside interface on the FW? (192.168.11.3)

Which IP address can you not ping ? 192.168.11.2 or 192.168.11.3, or both ? If you cannot ping 192.168.11.3 (the firewall) the reason is most likely that the Palo Alto does not allow ICMP...

Hi, 

For the purpose of this LAB, ICMP is allowed on the outside interface of the FW

But, still cannot find the interface.

I am unable to reach anything past the Cisco Outside interface (172.16.10.24)

I ran a debug on the router and this is what I am seeing every time i am pinging..

*Oct 22 16:53:17.971: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.973: ICMP type=8, code=0, Common Flow Table(5), rtype 0, fo rus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.975: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.976: ICMP type=8, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.978: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.979: ICMP type=8, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.981: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.983: ICMP type=8, code=0, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.985: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.987: ICMP type=8, code=0, NAT Outside(92), rtype 0, forus F ALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.988: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.990: ICMP type=8, code=0, MCI Check(109), rtype 0, forus FA LSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.992: FIBipv4-packet-proc: route packet from GigabitEthernet0/3 src 172.16.10.26 dst 192.168.11.2
*Oct 22 16:53:17.993: FIBfwd-proc: Default:192.168.11.2/32 receive entry
*Oct 22 16:53:17.994: FIBipv4-packet-proc: packet routing failed <<<< 

Hello,

odd. I lab tested your setup and can ping anything from 172.16.10.x.

What device is 172.16.10.26 ?

Hello
where are you trying to ping from what is the source - is it from the wan addressing?

Note: The outside interface of the PA is attached to the inside interface of the cisco wan rtr which is being natted so in theory from the PA perspective that is a public address however unless you have a specific 1-1 static nat statement for the PAs outside interface ip address you won’t be able to initiate a icmp from any wan rtr outside address 
example:

ip nat inside source static 192.168.11.3 172.16.10 x

Hi, 

Thank you for your response.

I added the 1-1 natting but ping did not work. 

InternetRouter#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 172.16.10.24 192.168.11.3 --- ---

PA does have NAT enabled - see Capture1.PNG.

I am pinging from the 172.16.10.0 network, which is a home network.

Public Internet > 172.16.10.0 Network > 192.168.11.0/28 Network. 

- I am trying to ping from the 172.16.10.26 network to the 192.168.11.2 (rtr) and 3 (PA) network.

Can you tell me why the traffic generated from the 192.168.11.0 network is able to get to the internet, but i am unable to get to the outside interface from the 172.16... address.

admin@PA-VM> ping source 192.168.11.3 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.11.3 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=25.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=16.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=20.6 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=18.9 ms
c64 bytes from 8.8.8.8: icmp_seq=6 ttl=116 time=22.9 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 13.747/19.662/25.411/3.901 ms

admin@PA-VM> traceroute source 192.168.11.3 host 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.11.2 (192.168.11.2) 105.324 ms 123.012 ms 112.008 ms
2 172.16.10.10 (172.16.10.10) 94.418 ms 81.032 ms 87.436 ms
3 * * 

Able to reach public domain from here

I am also able to reach the public space from behind the router

min@PA-VM> ping source 192.168.22.10 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.22.10 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=20.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=13.7 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 13.772/17.321/20.870/3.549 ms..

I am trying to reach the FW outside (192.168.11.3) interface for management purposes from the 172.16.10.0/24 network.

Currently within EVE-NG, I have a Win7 machine which I use for mgmt purposes. I am trying to avoid using this for resourcing reasons.

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e578:f0d8:478b:b446%2
IPv4 Address. . . . . . . . . . . : 172.16.10.26
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.10.10

:\Users\Admin>ping 192.168.11.2

Pinging 192.168.11.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.11.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

On the rtr

InternetRouter#
*Oct 24 21:21:25.063: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0
*Oct 24 21:21:29.877: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0
*Oct 24 21:21:34.825: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0
*Oct 24 21:21:39.800: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0

I tried to ping 192.168.11.3 but I cannot see any traffic being generated on the rtr as like above.

===========

ip nat inside source list 11 interface GigabitEthernet0/3 overload
ip nat inside source static 192.168.11.3 172.16.10.24
!
!
!
access-list 11 permit 192.168.11.0 0.0.0.15
access-list 11 permit 192.168.22.0 0.0.0.255
access-list 11 permit 192.168.33.0 0.0.0.255
access-list 11 permit 192.168.44.0 0.0.0.255
access-list 11 permit 192.168.55.0 0.0.0.255
access-list 11 permit 192.168.66.0 0.0.0.255
access-list 11 permit 192.168.11.0 0.0.0.255
!

Sorry, not the best at NAT.

Thank you in advance

Many thanks, this has resolved the issue.

Can I just ask why include this:

access-list 11 deny host 192.168.11.3 

Thank you

Hello

As you have a specifc static nat statement for that host then you want it not to be included in the general port translation access-list so its denied.

Hi, 

I am unable to get past the GW, even though there is a router within the router to the 192.168.11.0 network

-S~ 192.168.11.0/ 255.255.255.240 via 172.16.10.24 LAN1

GigabitEthernet0/3 172.16.10.24 YES DHCP up up

C:\Users\Admin>tracert 192.168.11.2

Tracing route to 192.168.11.2 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 172.16.10.10
2 * * * Request timed out.
3 * * * Request timed out.
4 * * ^C

Thank you

how does you routing table looks like? Are you sure that it has entry for 192.168.11.0 pointing to 172.16.10.24? And do you mybe have clasfull routing turned on?

Hello
fyi @DraganSkundric87318 192.168.11.0/24 is the hidden network so it won’t be reachable directly it’s being natted