tried this command but - Page 2

saroj pradhan · ‎11-18-2015

Hello Team,

when i run a packet trace it showing allow every thing but unable to ping the remore device.

also showing one erroe nat-xlate-failed .please find the details and help.

axletech# packet-tracer input inside icmp 10.0.64.36 8 0 10.0.128.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside-Network
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.0.64.36/0 to 49.248.250.98/14631

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 69276, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

axletech# packet-tracer input inside icmp 10.0.64.36 0 0 10.0.128.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside-Network
nat (inside,outside) dynamic interface
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Henrik Grankvist · ‎11-24-2015

I've never delt with a Palo Alto FW before, but if it was an ASA you would have to do a outside to outside NAT statement and allow intra-interface communication:

object network REMOTE-ASA-NETWORK
 subnet 10.0.64.0 255.255.224.0
 nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

Maybe there is something similar on the Palo Alto FW?

saroj pradhan · ‎11-25-2015

tried this command but internet doesnot work.

object network REMOTE-ASA-NETWORK
subnet 10.0.64.0 255.255.224.0
nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

Regards,

Saroj P

Henrik Grankvist · ‎11-25-2015

It's because you never should have configured it. It was just an example of what you would have to do on the Palo Alto firewall if it was a Cisco ASA.

saroj pradhan · ‎11-19-2015

please find the config and advice.

Site 2 site VPN Tunnel not comming UP on the ASA Firewall