https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122011#M46095 <P>Hello Experts</P><P>&nbsp;</P><P>PA side there are two subnets: 10.0.1.0/24, 10.0.2.0/24 and Cisco side there are also three subnets 172.16.1.0/24 , 172.16.2.0/24.</P><P>&nbsp;</P><P>On PA firewall, I defined the proxy-id as below:</P><P>proxy-id1: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.1.0/24&nbsp;</SPAN></P><P><SPAN>proxy-id2: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.2.0/24&nbsp;</SPAN></SPAN></P><P>proxy-id3: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.1.0/24&nbsp;</SPAN></P><P><SPAN>proxy-id4: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.2.0/24&nbsp;</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN>My questions are:</SPAN></SPAN></P><P><SPAN><SPAN>1- On Cisco side, how I will define the ACL. I mean I will define the four ACL or only one ACL with two source and two destination?&nbsp;</SPAN></SPAN></P><P><SPAN><SPAN>2- Everytime, if new subnet is added to pass through tunnel. I need to create proxy-id. There is any scalable method for this?</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN>Regards,</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN>GR</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Oct 2016 11:17:34 GMT ghostrider 2016-10-28T11:17:34Z https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122011#M46095 <P>Hello Experts</P><P>&nbsp;</P><P>PA side there are two subnets: 10.0.1.0/24, 10.0.2.0/24 and Cisco side there are also three subnets 172.16.1.0/24 , 172.16.2.0/24.</P><P>&nbsp;</P><P>On PA firewall, I defined the proxy-id as below:</P><P>proxy-id1: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.1.0/24&nbsp;</SPAN></P><P><SPAN>proxy-id2: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.2.0/24&nbsp;</SPAN></SPAN></P><P>proxy-id3: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.1.0/24&nbsp;</SPAN></P><P><SPAN>proxy-id4: local:&nbsp;<SPAN>10.0.1.0/24 remote:&nbsp;172.16.2.0/24&nbsp;</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN>My questions are:</SPAN></SPAN></P><P><SPAN><SPAN>1- On Cisco side, how I will define the ACL. I mean I will define the four ACL or only one ACL with two source and two destination?&nbsp;</SPAN></SPAN></P><P><SPAN><SPAN>2- Everytime, if new subnet is added to pass through tunnel. I need to create proxy-id. There is any scalable method for this?</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN>Regards,</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN>GR</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Oct 2016 11:17:34 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122011#M46095 ghostrider 2016-10-28T11:17:34Z https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122207#M46117 <P>Palo does not care about Proxy ID because it uses routing table to decide where to send traffic (route based vpn).</P><P>But as to negotiate IPSec configuration needs to match at both sides so Proxy ID in Palo is just to make Cisco happy.</P><P>Cisco on the other hand uses policy based vpn and encryption domains there are used to decide if traffic should be routed into tunnel or not.</P><P>So yes you have to have all subnets added to Proxy ID to have traffic flowing.</P><P>5 subnets at both sides for example means 25 Proxy ID's -&gt; 5x5.</P> Sat, 29 Oct 2016 03:32:19 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122207#M46117 Raido_Rattameister 2016-10-29T03:32:19Z https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122281#M46126 <P>Hi Raido&nbsp;</P><P>&nbsp;</P><P>Thanks for your valueable feedback. I heard in IKEV2, there is some concept of superset like on PA if I define 10/8 and remote as 172.16/16. Can we do something like that? or it is something else</P> Sat, 29 Oct 2016 15:18:34 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/122281#M46126 ghostrider 2016-10-29T15:18:34Z https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/123253#M46213 <P>I have not used IKEV2 so maybe someone who has can help here.</P> Wed, 02 Nov 2016 14:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/123253#M46213 Raido_Rattameister 2016-11-02T14:53:48Z https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/124339#M46299 <P>Any one here for IKEV2 explaination?</P> Sat, 05 Nov 2016 15:06:49 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-id-between-palo-alto-firewall-and-cisco-asa/m-p/124339#M46299 ghostrider 2016-11-05T15:06:49Z