topic Re: ipsec in General Topics

ipsec

sib2017 — Mon, 18 Jan 2016 11:41:13 GMT

Hi
Internet edge firewall is cisco asa .
Behind Palo alto running in virtual vire mode.
for some reason ipsec users cannot connet to outside .
What we need to be done at palo alto side ?
Thanks

Re: ipsec

syadav — Mon, 18 Jan 2016 13:46:06 GMT

Hi Sib,

Do you observe the VPN negotiation failing or only the traffic is not passing through after the VPN comes up ?

Please make sure that Palo alto is passthrough for the IPSEC :

https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-the-Palo-Alto-Networks-Device-as-an-IPSec/ta-p/58732

If this does not help, please check what traffic is being dropped by the firewall for the user IPs from the internal network and

the IP they are trying to connect to. You may monitor the application in case strict rules have been used to application

control.

Hope this helps !

Re: ipsec

sib2017 — Mon, 18 Jan 2016 14:23:37 GMT

Hi,

Thanks for the reply ,

In my case what will be the source ip address , i am using cisco client to connect out side .

Re: ipsec

syadav — Sun, 24 Jan 2016 07:44:17 GMT

@sib2017 If the VPN negotiations itself are failing, then you sould see the request coming from the IP of the PC.

On the PA, you may check if any traffic is denied/dropped between the IP of the PC and the IP corresponding to the destination IP. Packet captures between these IPs would help.

Re: ipsec

sib2017 — Sun, 24 Jan 2016 19:31:24 GMT

Hi,

The tunnel is up and running , after tunnel is up i cannot access anything .

what does it mean

Thanks a lot of your support

Re: ipsec

syadav — Mon, 25 Jan 2016 02:17:48 GMT

@sib2017 If we assume that the tunnel is setup fine and only the traffic is failing, you should see
UDP/ESP traffic on the Palo alto. Please check cisco documentation which exact port they use for this traffic.
ESP protocol number is 50, you may filter with this as well.

Re: ipsec

pulukas — Mon, 25 Jan 2016 11:25:06 GMT

From your description, I think you are saying that the ASA user access tunnels establish correctly.

And that the users are setup without split tunnel so internet access will be from the ASA.

And that users are blocked from internet access after connecting.

If this is true, you would need to look at your outbound internet access policy setup on the PA. Find the zone assignment for the address pool you assign to users on the ASA.

Make sure there is an outbound from this zone to untrust policy on the PA.

Make sure there is a NAT policy from this address and zone to untrust on the PA.

Check the logs on the PA for these source addresses to see why the traffic is denied. Also confirm you have logging turned on for your final deny rules.

Re: ipsec

sib2017 — Tue, 26 Jan 2016 06:12:44 GMT

Hi Stever

Here is my setup ,

ASA (internet side) <------------untrust-----> ( PA VWIRE mode)

You said

"If this is true, you would need to look at your outbound internet access policy setup on the PA. Find the zone assignment for the address pool you assign to users on the ASA. "

for example i have assigned vpnusers group 1 ip address ( 10.10.10.100- 10.10.10.200) ,

i would consider these ip addresses are in untrust zone .

In PA logs , once the vpn connection established , how the traffic look like.I mean the source visible to PA is from the address pool or global IP ?

" Make sure there is an outbound from this zone to untrust policy on the PA. " ?

You mean from the ASA

"Make sure there is a NAT policy from this address and zone to untrust on the PA." ?

You mean from the ASA

Second thing i was talking about a user sitting inside behind the PA and connecting usinng vpn to outside comapny x .

I don't have an explicit policy to deny these ipsec traffic , sometimes users complain that they are not able t connect to company x .i can see palalto tagging this traffic as ciscovpn . But once they connected ,from palo alto side how the traffic look like ?

from the log how do i know that is it a succesful connection ?

Thanks

Re: ipsec

pulukas — Tue, 26 Jan 2016 11:05:50 GMT

I am confused on what the issue is for inbound VPN.

Users connect to the Cisco ASA for SSL VPN and cannot access internet?

Users connect to PA SSL VPN and cannot access Internet?

Users connect to PA SSL VPN and cannot access internal resources?

to find outbound connections and logs on the PA filter for the source address and destination address of the user and destination vpn in the logs. These will show if the traffic is permitted or denied.

Re: ipsec

abjain — Wed, 27 Jan 2016 02:27:06 GMT

Hi,

Please clarify the setup a bit more. I am assuming the setup to be as below:

Cisco ASA ---------- Internet Cloud ------------ PA Vwire ------- VPN User

\------------------------------- VPN --------------------------------/

1. In this case shall we assume that VPN user is connecting using Cisco VPN client to the Cisco ASA?

2. Where is the NAT on the PA side? Is there another Router on the PA side which is natting the private network? For example:

Cisco ASA ---------- Internet Cloud ------------ Edge Router ------ PA Vwire ------- VPN User

\------------------------------------------ VPN ------------------------------------------/

3. If this is correct as above, then PA should allow ESP/ UDP-4500 traffic if IPSEC VPN.

4. If there is no split tunneling, then, on Cisco ASA, there should be a ACL to allow traffic coming from tunnel and going out to Internet unencrypted. Also you need a source NAT on Cisco ASA for the same.

5. To troubleshoot, check traffic logs on PA with source IP as the actual IP on the VPN User (not VPN assigned IP), and destination IP as Cisco ASA. Check for any drops.

6. On the Cisco ASA check if it is receiving any traffic via the tunnel, and then check how is the packet getting processed.

BR.