0

all- So, I have my VPN tunnel up between my DataCenter and my VPC. The device (terminating) is a PAN200, PAN OS 4.xx

Traffic passes normally; SQL, RDP, AD, DNS, etc and PING from AWS side to DC side pass, but PING from DC side to AWS FAIL.

DC subnet (10.115.x.x) AWS subnet (10.116.x.x)

So, what bloody line of the config document that AWS provides gives me the "next-hop" interface IP that I configure my PAN with so i can ping across the tunnel?

Troy M. King
  • 11

3 Answers3

0

Make sure you have appropriate rules in your DC firewall to allow all traffic from 10.16.x.x subnet to enter into your network.

dtoubelis
  • 4,579
  • 1
  • 28
  • 31
  • The rules allow all traffic from subnet 10.116.x.x to the internal: – Troy M. King May 10 '16 at 02:26
  • :Literally any/any all/all between those two subnets. I've checked the security groups on the AWS side; all traffic is allowed into and out of that subnet from the tunnel side. – Troy M. King May 10 '16 at 02:42
0

The next-hop usually means you need to add the destination IP address, netmask and gateway into your routing table. There is a default gateway in your routing table, all of the traffic will go through the default gateway, if you need some traffic to use other gateway, you need to use "next-hop". e.g. on your DC side: route add -net 10.116.0.0/16 gw 10.115.0.1 (depends on your configuration.)

It means all of the traffic to 10.116.0.0/16 will go through 10.115.0.1.

Xcat
  • 88
  • 1
  • 2
  • 5
  • All traffic is passing normally except ping. My routing tables are fine on the DC side; SQL passes normally, HTTP passes normally, even SSH works. I simply cannot ping from 10.115.104.x to 10.116.0.x. EVERYTHING else works. I'll be posting a screenshot of my routing table for the VPN interfaces on the DC FW shortly. – Troy M. King May 10 '16 at 02:30
  • No need, if all traffic is passing normally except ping, it's definitely not a routing issue. You can check the firewall rules on 10.116.0.x. – Xcat May 10 '16 at 02:34
  • Literally any/any all/all between those two subnets. I've checked the security groups on the AWS side; all traffic is allowed into and out of that subnet from the tunnel side. The security rules from the DC are any/any all/all from untrustL3(the external VPN IP) to the trustL3 (internal network) – Troy M. King May 10 '16 at 02:44
0

Okay, got it sorted. There was a check box on the PAN config that said "append local IP range to ICMP requests". Disabled that and the pings work. Evidently, when the RETURN messages were coming into the PAN, they were having the AWS subnet address stripped off of them, replaced with the LOCAL subnet address, and then black-holed because the rules didn't allow ICMP to traverse the security boundary then come back in the same interface.

Really weird issue.

Thanks for you advice, everyone.

Troy M. King
  • 11