https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/69063#M40143 <P>Hi Satish,</P> <P>I'm having a problem with Proxy-ID mismatch. This is between a PAN Firewall and a Cisco 3G router. For my local Proxy ID on the PAN, I have configured 10.5.0.0/16. However, when I look at the logs, it says 'received local id is X.X.X.X'&nbsp;</P> <P>&nbsp;</P> <P>where X.X.X.X is the public interface of the PAN. I can't figure out why.</P> <P>&nbsp;</P> <P>Also, is a NAT-exempt rule required for my Local Proxy-ID?</P> Mon, 07 Dec 2015 10:32:44 GMT Bocsa 2015-12-07T10:32:44Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3575#M2634 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I have a Palo Alto Firewall which wants to have IPsec Tunnel with a peer firewall which is a Checkpoint Firewall. Any of the firewalls can initiate VPN Traffic. </P><P>Can someone kindly let me know, what proxy IDs can be set on my Palo alto firewall for the following 2 cases.</P><P></P><P>Case 1:</P><P>My internal networks for VPN (Palo Alto Firewall) : 172.16.10.0/24 , 10.31.0.0/16, 10.40.40.0/24</P><P>Networks behind the peer (Checkpoint Firewall) : Unknown</P><P></P><P></P><P>Case 2</P><P>My internal networks for VPN (Palo Alto Firewall) : 172.16.10.0/24 , 10.31.0.0/16, 10.40.40.0/24</P><P>Networks behind the peer (Checkpoint Firewall) : Exactly same i.e. 172.16.10.0/24 , 10.31.0.0/16, 10.40.40.0/24</P><P></P><P>Thanks a lot !!</P></BODY></HTML> Thu, 13 Nov 2014 07:01:05 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3575#M2634 Neo.The.One 2014-11-13T07:01:05Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3576#M2635 <HTML><HEAD></HEAD><BODY><P>Hello Amit,</P><P></P><P>PROXY ID's are required to define the SPI key's in the IPSec VPN. SPI is a key pair, used for encapsulation and decapsulation of ESP packet. </P><P></P><P>CASE-1: Proxy ID's should be as mentioned below:</P><P></P><P><IMG alt="proxy-ID.JPG" class="image-0 jive-image" height="284" src="https://live.paloaltonetworks.com/legacyfs/online/16855_proxy-ID.JPG" style="height: 283.761290322581px; width: 486px;" width="486" /></P><P></P><P>CASE-2: You have to follow the DOC<SPAN class="GINGER_SOFTWARE_mark"> :</SPAN> <A href="https://live.paloaltonetworks.com/docs/DOC-1594">Configuring route based IPSec with overlapping networks</A></P><P></P><P>Reference Info<SPAN class="GINGER_SOFTWARE_mark">:</SPAN><A href="https://live.paloaltonetworks.com/message/17561">Re: IPsec VPN Tunnel with overlapping subnets.</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 13 Nov 2014 07:22:53 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3576#M2635 HULK 2014-11-13T07:22:53Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3577#M2636 <HTML><HEAD></HEAD><BODY><P>Thanks for your reply! A few more questions:</P><P></P><P>1. Do I always have to mention 0.0.0.0/0 as remote proxy id or can i leave it blank?</P><P></P><P>2. Do I also have to add the IP Addresses of External Interfaces of Palo Alto and Peer Firewalls, in the Proxy IDs List ?</P><P></P><P>Thanks!!</P></BODY></HTML> Mon, 24 Nov 2014 10:42:25 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3577#M2636 Neo.The.One 2014-11-24T10:42:25Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3578#M2637 <HTML><HEAD></HEAD><BODY><P>Hi Amit,</P><P></P><P>Ans 1:- you cant do this.</P><P>2;-&nbsp; yes</P><P></P><P>Regards</P><P>Satish</P></BODY></HTML> Mon, 24 Nov 2014 11:49:27 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3578#M2637 Satish 2014-11-24T11:49:27Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3579#M2638 <P>Hi Amit,</P> <P>&nbsp;</P> <P>It may be help&nbsp; you in configuration.....</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/docs/DOC-6791" target="_self">How to Configure IPSec VPN</A></P> <P class="f kv _SWb" style="color: #808080; font-family: arial, sans-serif; font-size: small;">&nbsp;</P> <P class="f kv _SWb" style="color: #808080; font-family: arial, sans-serif; font-size: small;">Thnx</P> <P class="f kv _SWb" style="color: #808080; font-family: arial, sans-serif; font-size: small;">Satish</P> <DIV class="action-menu ab_ctl" style="margin: 0 3px;">&nbsp;</DIV> Mon, 07 Dec 2015 17:50:13 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3579#M2638 Satish 2015-12-07T17:50:13Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3580#M2639 <HTML><HEAD></HEAD><BODY><P>Hi Satish,</P><P></P><P>thanks for your reply! Everything works now!!</P></BODY></HTML> Tue, 25 Nov 2014 11:20:39 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/3580#M2639 Neo.The.One 2014-11-25T11:20:39Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/69063#M40143 <P>Hi Satish,</P> <P>I'm having a problem with Proxy-ID mismatch. This is between a PAN Firewall and a Cisco 3G router. For my local Proxy ID on the PAN, I have configured 10.5.0.0/16. However, when I look at the logs, it says 'received local id is X.X.X.X'&nbsp;</P> <P>&nbsp;</P> <P>where X.X.X.X is the public interface of the PAN. I can't figure out why.</P> <P>&nbsp;</P> <P>Also, is a NAT-exempt rule required for my Local Proxy-ID?</P> Mon, 07 Dec 2015 10:32:44 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/69063#M40143 Bocsa 2015-12-07T10:32:44Z https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/69254#M40233 <P><SPAN>'received local id is X.X.X.X'&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I believe this is telling you that the Cisco is sending the proxy-id with your public ip address. &nbsp;You will need to check the configuration on that side to remove this setting and put in the ACL on the Cisco tunnel that you need.</SPAN></P> Wed, 09 Dec 2015 11:11:50 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-ids-help/m-p/69254#M40233 pulukas 2015-12-09T11:11:50Z