Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1922
Views
0
Helpful
18
Replies

Site 2 site VPN Tunnel not comming UP on the ASA Firewall

saroj pradhan
Level 1
Level 1

‎11-18-2015 11:47 PM

Hello  Team,

when i  run a packet  trace  it  showing  allow  every thing but  unable to ping  the remore device.

also showing one erroe  nat-xlate-failed  .please find the details and help.

 

 

 

 

 

 

axletech# packet-tracer input inside icmp 10.0.64.36 8 0 10.0.128.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside-Network
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.0.64.36/0 to 49.248.250.98/14631

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 69276, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

axletech# packet-tracer input inside icmp 10.0.64.36 0 0 10.0.128.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside-Network
 nat (inside,outside) dynamic interface
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

 

Labels:
0 Helpful
18 Replies 18

Henrik Grankvist
Level 4
Level 4
In response to saroj pradhan

‎11-24-2015 11:24 PM

I've never delt with a Palo Alto FW before, but if it was an ASA you would have to do a outside to outside NAT statement and allow intra-interface communication:

object network REMOTE-ASA-NETWORK
 subnet 10.0.64.0 255.255.224.0
 nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

Maybe there is something similar on the Palo Alto FW?

0 Helpful

saroj pradhan
Level 1
Level 1
In response to Henrik Grankvist

‎11-25-2015 01:18 AM

tried this  command but internet doesnot work.

object network REMOTE-ASA-NETWORK
subnet 10.0.64.0 255.255.224.0
nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

Regards,

Saroj P

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to saroj pradhan

‎11-25-2015 10:45 AM

It's because you never should have configured it.  It was just an example of what you would have to do on the Palo Alto firewall if it was a Cisco ASA.

0 Helpful

saroj pradhan
Level 1
Level 1

‎11-19-2015 01:35 AM

please find the config and advice.

0 Helpful
Customers Also Viewed These Support Documents