By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Not able to ping my AWS instance from my Cisco VLAN

0

We are currently trying to implement Okta authentication for our Office access points (Cisco). We are not able to ping our EC2 instance successfully from our Cisco FW. I can ping the FW public ip address from the EC2 instance though which leads me to believe it may be a setting on the AWS side. I have edited the VPC and Network ACLs to allow traffic inbound and outbound but still no luck.

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content Delivery
Language
English
Sanford Banks
asked 6 months ago202 views
4 Answers
0

If you can ping from the EC2 instance to the Cisco firewall but not the other way around, it suggests a one-way traffic issue. Here are some (other) AWS-side settings to check:

Route Tables: Check the route tables in your VPC to ensure there is a route that allows traffic to and from the Cisco firewall.

Internet Gateway/NAT Gateway: Ensure that if the EC2 instance is in a private subnet, it has a route out to the internet via a NAT gateway or NAT instance, and that the gateway is correctly configured.

Firewall Logs: Check the logs for your Cisco firewall to determine if the traffic is being sent out and if any rules might be blocking the outbound pings.

profile picture
ObiJan
answered 6 months ago
  • Gary Mclean EXPERT
    6 months ago

    You wouldn’t get one way ping if there was a routing issue. It’s all or nothing.ICMP also requires a return path. If you get a ping response then routing is correct.

0

Need little more info.. Are you trying to ping the private or the public IP address of the EC2? How are you trying to access the EC2 from on-prem, via the internet, Site-to-Site VPN, or Direct Connect?

Have you allowed ICMP traffic in the security group? You can also enable VPC flow logs to see if the traffic is reaching the EC2 from on-prem. If the EC2 is a Windows machine, make sure the OS firewall (Windows Firewall) is allowing ICMP.

profile pictureAWS
Matt_E
answered 6 months ago
0

If your EC2 is in a private subnet then you can’t ping it.

If it’s in a public subnet with a public IP then you should be able ping it so long as NACLs and Security group allows ICMP and return packets.

Please clarify where your Cisco FW is. Public or Private connection?

profile picture
EXPERT
Gary Mclean
answered 6 months ago
0

As suggested above, need more information on network connectivity between FW and EC2.

Ping from EC2 to FW works, validate the EC2 IP in FW logs to make sure traffic is coming from expected IP.

Here are few things for step by step troubleshooting:

  • Check if ICMP is allowed outbound on the FW and right public IP is used as a source IP for traffic generated by the FW (Often times NAT is used to translate IPs behind the FW and not of the FW)
  • If the FW is connected to Internet router, validate bogon ACL for ICMP
  • If the EC2 is behind NAT GW, any traffic initiated towards EC2 will not be reachable
  • If EC2 is behind NAT instance or FW and many to one NAT is used for outbound traffic, EC2 will not be reachable from outside
  • If there is a network FW in your VPC and it is in the path, check inbound FW rules and NAT rules
  • If EC2 has EIP or PIP, check NACL and SG (you can also validate using VPC Flow logs)
  • Depending on OS, check Windows FW or IP table
  • Tools like wireshark or tcpdump can be used to validate if the traffic is reaching EC2
profile pictureAWS
H_Shah
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content