topic Re: How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip) in General Topics

How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

fortigatefan — Wed, 08 Nov 2017 16:33:57 GMT

Dear all,

I am looking for a way to get a site2site tunnel working between a Palo Alto with static public ip and a Palo Alto with a "dynamic" endpoint (public ip through dhcp)

The tunnel shows as status green in the GUI and also on CLI it shows up, but no traffic is passing. I found a how to through the Palo Alto pages, and I am using the User FQDN instead of ip peer address.

Do I need to use a proxy id between the 2 Palo Alto's or can I use static for the tunnel at both ends? Or perhaps both?

Re: How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

DonohoeRobert — Wed, 08 Nov 2017 21:57:03 GMT

Hi Mate,

Check the traffic logs ?

is the traffic going down the tunnel when it should ?

have ye set a static route for the traffic thats needed to go down the tunnel?

Do you need nat traversal enabled?

Don't need the proxy id's. few links below should help ye research further.

dynamic dds can help when you don't have a static address.

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Why-Use-a-VPN-Proxy-ID/ta-p/69524

https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-VPN-Tunnel-with-NAT-Traversal/ta-p/66188

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/tac-p/59191#M985

https://live.paloaltonetworks.com/t5/Management-Articles/Advanced-VPN-IPSec-troubleshooting-8-0-enable-debugging-per-VPN/ta-p/169303

https://live.paloaltonetworks.com/t5/Management-Articles/The-IPSEC-Tunnel-Comes-Up-But-Hosts-Behind-Peer-Are-Not/ta-p/61110

cheers

Rob

Re: How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

fortigatefan — Thu, 09 Nov 2017 10:19:27 GMT

Hello Rob,

I might have found the issue, as since the tunnels are basically inside to inside, the previous engineer didn't add a rule to allow zone internal/inside to internal/inside on the dynamic endpoint side/firewall. I will keep you posted.

Jeff.

Re: How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

fortigatefan — Fri, 10 Nov 2017 08:46:08 GMT

IP connectivity worked between several locations with static public ip and the site with dynamic public ip, however internal websites weren't reachable, whilst the external just worked fine (and outlook). I could reach the laptop from the engineer through RDP, and also the management ip of the Palo Alto was reachable through the GUI. The Palo Alto didn't block any http or https. The Palo Alto has a dhcp pool and 2 dns entries to serve the internal network. The local engineer could also ping the 2 dns ip's.

Although close to a solution, our timewindow ran out, so i had to do a rollback to the PFSense 😞

Will keep u posted on the progress.

Re: How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

BPry — Fri, 10 Nov 2017 15:29:57 GMT

Hi @fortigatefan,

This should be a fairly straightforward configuration. It sounds like you were able to reach resources through the remote firewall, but the remote party was unable to access resources through your own firewall correct?

If that's the case you'll need to verify a couple things.

1) There is a security policy in place that actually allows the remote users to access your local resources through the tunnel on both your remote firewall and the local firewall. It sounds like you may have allowed the traffic through to the remote end, but you aren't allowing that remote end through the terminating firewall.

2) Have you tried reaching these internal sites strickly through IP instead of DNS? You may have allowed HTTP/HTTPS through the firewall, but if the remote locations DNS server doesn't know to point these users to your internal webserver then it's just going to send them out to the external website.

Adding a little bit of the configuration from both ends might help a little in further troubleshooting, but that's where I would start looking.

Re: How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

fortigatefan — Fri, 10 Nov 2017 15:54:47 GMT

Hello BPry,

We have to postpone the migration 2 weeks, but I might be able to ask if we can install a spare laptop @ location to do some testing next time during the migration.