01-26-2018 08:10 AM - edited 03-12-2019 04:57 AM
I am creating a VPN with Cisco 5525-X to a Palo Alto. I am not able to ping or connect to anything on their side but they are able to ping and connect to my side. I have the VPN configured like other VPNs and recently created one the same was with no problems. I ran the previous commands and looks like everything is good from what I see. Is this problem on my side or theirs?
object-group network Servers_18
description: | 10.18.31.30 - 33 Servers |
network-object host 10.18.31.30
network-object host 10.18.31.31
network-object host 10.18.31.32
network-object host 10.18.31.33
object-group network 5024_LAN
description: | LAN to VEN 2018-01-18 |
group-object Servers_18
object-group network 5024_VEN_LAN
description: | To VEN LAN 5024 2018-01-18 |
network-object host 8.X.X.X
packet-tracer input INSIDE icmp 10.18.31.32 0 8 8.X.X.X
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 8.X.X.X/0 to 8.X.X.X/0
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
Additional Information:
Static translate 10.18.31.32/0 to 10.18.31.32/0
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
Additional Information:
Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 545584830, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
packet-tracer input INSIDE icmp 10.18.31.32 0 8 8.X.X.X DEtailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac69786c0, priority=13, domain=capture, deny=false
hits=11297500105, user_data=0x2aaac6324470, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=INSIDE, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac5756460, priority=1, domain=permit, deny=false
hits=5645177141, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 8.X.X.X/0 to 8.X.X.X/0
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad8c91540, priority=7, domain=conn-set, deny=false
hits=1590620, user_data=0x2aaad8c18610, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
Additional Information:
Static translate 10.18.31.32/0 to 10.18.31.32/0
Forward Flow based lookup yields rule:
in id=0x2aaad8736060, priority=6, domain=nat, deny=false
hits=17244, user_data=0x2aaad02756a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.18.31.32, mask=255.255.255.255, port=0, tag=any
dst ip/id=8.X.X.X, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac48cf110, priority=0, domain=nat-per-session, deny=true
hits=381998060, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac58a53c0, priority=0, domain=inspect-ip-options, deny=true
hits=354656113, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4fe3000, priority=70, domain=inspect-icmp, deny=false
hits=12979109, user_data=0x2aaac65343c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac57eb850, priority=66, domain=inspect-icmp-error, deny=false
hits=25243051, user_data=0x2aaac5419f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 10
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaace778a30, priority=18, domain=flow-export, deny=false
hits=171412652, user_data=0x2aaacd3552b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 11
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad6bef870, priority=13, domain=debug-icmp-trace, deny=false
hits=653621, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaad000bfe0, priority=70, domain=encrypt, deny=false
hits=16, user_data=0x38282a3c, cs_id=0x2aaad8dd0c90, reverse, flags=0x0, protocol=0
src ip/id=10.18.31.32, mask=255.255.255.255, port=0, tag=any
dst ip/id=8.X.X.X, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE
Phase: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaacfede4c0, priority=6, domain=nat-reverse, deny=false
hits=17241, user_data=0x2aaad8c9afb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.18.31.32, mask=255.255.255.255, port=0, tag=any
dst ip/id=8.X.X.X, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaabd6e2a80, priority=0, domain=user-statistics, deny=false
hits=410184676, user_data=0x2aaac6705cd0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 545591009, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
Solved! Go to Solution.
01-26-2018 01:53 PM
The config and the output from the packet trace looks ok to me at first glance. When the ping fails, what is the source the IP address? I assume it's one of the addresses defined in the object group? If yes then it's worthwhile debugging with the Palo Alto administrator and debugging with them.
FYI, you can run "debug icmp trace" on the ASA if you haven't already, that may proved some useful information.
01-26-2018 08:18 AM
Hi, Are you sure you've defined the correct hosts in the object-group "Servers_18" correctly? Your description implies they should be .30-.33 but you've defined .50-.53. You are also running the packet trace from 10.18.31.32 which is not defined in the group. I assume you've define the ACL referencing this group, I didnt see the ACL in your original email.
HTH
object-group network Servers_18
description: | 10.18.31.30 - 33 Servers |
network-object host 10.18.31.50
network-object host 10.18.31.51
network-object host 10.18.31.52
network-object host 10.18.31.53
packet-tracer input INSIDE icmp 10.18.31.32 0 8 8.X.X.X
01-26-2018 08:34 AM - edited 01-26-2018 08:36 AM
Yes they are correct. I change the original IPADDRs since this information would be public. 50-53 or the Original 4th octet addresses. I missed that.
object-group network Servers_18
description: | 10.18.31.30 - 33 Servers |
network-object host 10.18.31.30
network-object host 10.18.31.31
network-object host 10.18.31.32
network-object host 10.18.31.33
01-26-2018 11:19 AM
Can you provide the config for ACL, NAT, VPN please?
01-26-2018 01:11 PM
I have tried using just 10.18.31.32 as the only host in 5024_LAN with no success on my side Cisco but the Palo Alto site is still able to successfully ping the device. I feel like it is a NAT problem on the Palo Alto side.
object-group network Servers_18
description: | 10.18.31.30 - 33 Servers |
network-object host 10.18.31.50
network-object host 10.18.31.51
network-object host 10.18.31.52
network-object host 10.18.31.53
object-group network 5024_LAN
description: | LAN to VEN 2018-01-18 |
group-object Servers_18
object-group network 5024_VEN_LAN
description: | To VEN LAN 5024 2018-01-18 |
network-object host 8.X.X.240
access-list VPN_5024 remark VEN 2018-01-18
access-list VPN_5024 extended permit ip object-group 5024_LAN object-group 5024_VEN_LAN
nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024
tunnel-group 8.X.X.130 type ipsec-l2l
tunnel-group 8.X.X.130 ipsec-attributes
ikev1 pre-shared-key <WorldSecret>
exit
!
crypto ikev1 policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto map OCMAP 5024 match address VPN_5024
crypto map OCMAP 5024 set peer 8.X.X.130
crypto map OCMAP 5024 set ikev1 transform-set ESP-AES256-SHA
crypto map OCMAP 5024 set security-association lifetime seconds 28800
01-26-2018 01:53 PM
The config and the output from the packet trace looks ok to me at first glance. When the ping fails, what is the source the IP address? I assume it's one of the addresses defined in the object group? If yes then it's worthwhile debugging with the Palo Alto administrator and debugging with them.
FYI, you can run "debug icmp trace" on the ASA if you haven't already, that may proved some useful information.
02-14-2018 06:45 AM
The ASA was configured correctly. The Palo Alto Firewall was having problems with the NAT traffic when it hit there interface. I am not sure what he fix was for their side but after they had the service call, the tunnel was working with no changes to my side.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide