Site to Site VPN issue (Palo Alto to Cisco ASA)

scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTLbehind youMod Posts: 2,781 Mod
Wondering if anyone has had experience with this issue. We have been trying to set up a VPN (site to site) from a Palo Alto to a Cisco ASA. The tunnel is up but we can't ping externally to off-site. We have the policies in place. We are scratching our heads... any advice?
Never let your fear decide your fate....

Comments

  • Welly_59Welly_59 Member Posts: 431
    Can you ping the tunnel endpoint?
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    @Welly - there's no tunnel like a tunnel interface. They can test IP reachability from the physical interface point of view for the outside interface but that's it.

    I can't help from a PAN point of view but how do the proxy IDs look on the ASA? You didn't send blanket 0.0.0.0/0 proxy IDs over, did you? Are the subnets that are being shared looking good? Did both ISAKMP and IPSec come up correctly? Have you done a debug of the both for the tunnel? Have you enabled logging on the ASA and checked what's happening?
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,781 Mod
    We don't have access to the ASA. It is at another site.
    Our IPsec tunnel is up. We used to be able to ping their external network . Last week that all changed and we can't ping them. the people who we need to talk to were on vacation all week.icon_cool.gif Now, we can't ping and it just hangs. I contacted Palo Alto and they said if our tunnel is up, then it is on the ASA side. I guess we will find out Tuesday when we are all back from the holiday...
    Never let your fear decide your fate....
  • bhcs2014bhcs2014 Member Posts: 103
    Why are you trying to ping their external network? In order to test tunnel connectivity you should try to connect from your private subnet to the remote subnet on the ASA's end. Ping may not work if ICMP inspection is turned off on the ASA end. Can you try to RDP or http/https page on the remote subnet?
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,781 Mod
    The ASA end had ACLs that were blocking us. We can ping each other.
    Never let your fear decide your fate....
Sign In or Register to comment.