https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14563#M10693 <HTML><HEAD></HEAD><BODY><P>Yes, you are correct.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 11 Sep 2013 18:27:07 GMT HULK 2013-09-11T18:27:07Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14560#M10690 <HTML><HEAD></HEAD><BODY><P>I'm running PANOS 4.0.x and have a tunnel with a Cisco ASA peer.&nbsp; I had to create multiple IPSEC tunnels to work around the Proxy ID limitation of 10 per tunnel interface.&nbsp; This Cisco peer will be moving to a Palo Alto box running 5.0.x.&nbsp; If the far end Palto running 5.0.x just matches my Proxy ID's, then I should be good correct?&nbsp; And that 5.0.x Palto will not have to be configured with multiple tunnel interfaces, either.&nbsp; I recall reading somewhere that VPN tunnels between Palto's didn't need Proxy ID's defined.&nbsp; Just looking for clarification.&nbsp; Thank you.</P></BODY></HTML> Tue, 10 Sep 2013 19:40:53 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14560#M10690 iguarino 2013-09-10T19:40:53Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14561#M10691 <HTML><HEAD></HEAD><BODY><P>Hello Iguarino,</P><P></P><P>You are correct. PAN firewall will take <SPAN class="GINGER_SOFATWARE_correct">0.0.0.0</SPAN>/0 as proxy ID by default. So, if both ends are PAN firewall then need not to define the Proxy ID's.</P><P></P><P>FYI:-</P><P>1. Define a proxy ID on PAN firewall for more control over the traffic, define the traffic that needs to be Encrypted or the Interested traffic for an IPSEC tunnel.</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">2. This</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> behavior is same for JUNIPER SRX firewall as well.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Hope this helps. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks<BR /></SPAN></P></BODY></HTML> Tue, 10 Sep 2013 23:29:02 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14561#M10691 HULK 2013-09-10T23:29:02Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14562#M10692 <HTML><HEAD></HEAD><BODY><P>Thanks HULK.&nbsp; So in this case, the 4.0 side will simply add destination routes to the proper tunnel interface (although limited to 10).&nbsp; The 5.0 side could add up to 250 destination routes pointing to its proper tunnel interface.</P></BODY></HTML> Wed, 11 Sep 2013 13:02:18 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14562#M10692 iguarino 2013-09-11T13:02:18Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14563#M10693 <HTML><HEAD></HEAD><BODY><P>Yes, you are correct.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 11 Sep 2013 18:27:07 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-moving-from-palto-asa-to-palto-palto/m-p/14563#M10693 HULK 2013-09-11T18:27:07Z