https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209037#M61133 <P>So that's one of the things I was needing to understand.</P><P>Am I creating a PID for every host that has access over the tunnel?</P><P>Or does a subnet range work for this?</P><P>On the ASA side I have an ACL just allowing a few host to access the tunnel.</P> Fri, 06 Apr 2018 15:35:16 GMT brian.schroeder 2018-04-06T15:35:16Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/208949#M61118 <P>First thing,</P><P>I know there are postings about this out on the web and community about this. The problem I'm having is everything out there is on old ASA code.&nbsp;</P><P>I'm trying to understand the configuration on the PA. I have my tunnel interface configured, IKE Crypto, IPSec Crypto, IKE Gateway, and IPSec Tunnel. I can't get the Phase 1 to come up. I've verified the DH Groups, Authentication, and Encryption setting are the same on both sides. Can someone point me in a direction where they think my problem might be?</P><P>Thanks for any help given,</P> Thu, 05 Apr 2018 23:40:46 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/208949#M61118 brian.schroeder 2018-04-05T23:40:46Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209011#M61128 <P>Checking (and posting) logs would be a good start.</P> Fri, 06 Apr 2018 10:11:25 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209011#M61128 santonic 2018-04-06T10:11:25Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209033#M61131 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/48699">@brian.schroeder</a>,</P><P>Did you verify that your proxy-ids are setup correctly. As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a>&nbsp;stated logs would be the thing that will tell you what's actually happening.&nbsp;</P> Fri, 06 Apr 2018 15:30:34 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209033#M61131 BPry 2018-04-06T15:30:34Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209035#M61132 <P>I'll be pulling those soon.</P> Fri, 06 Apr 2018 15:31:38 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209035#M61132 brian.schroeder 2018-04-06T15:31:38Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209037#M61133 <P>So that's one of the things I was needing to understand.</P><P>Am I creating a PID for every host that has access over the tunnel?</P><P>Or does a subnet range work for this?</P><P>On the ASA side I have an ACL just allowing a few host to access the tunnel.</P> Fri, 06 Apr 2018 15:35:16 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209037#M61133 brian.schroeder 2018-04-06T15:35:16Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209040#M61134 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/48699">@brian.schroeder</a>,</P><P>Cisco is policy-based while the Palo Alto is route-based. The Palo Alto is essentially defaulting to 0.0.0.0/0 source and 0.0.0.0/0 destiantion. If they don't match things aren't going to form correctly. You can use a network range as long as that's what the ASA is sending; if they don't match you'll still have an issue.&nbsp;</P><P>&nbsp;</P><P>Here's two good articles about proxy-ids <A href="https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlapping-IPs/ta-p/69123" target="_blank">HERE</A>&nbsp;and <A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Why-Use-a-VPN-Proxy-ID/ta-p/69524" target="_blank">HERE</A>.&nbsp;</P> Fri, 06 Apr 2018 15:45:13 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209040#M61134 BPry 2018-04-06T15:45:13Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209041#M61135 <P>Initiate vpn traffic from ASA side and check logs on Palo.</P><P>Monitor &gt; System</P><P>If you can't identify issue yourself then share logs here.</P> Fri, 06 Apr 2018 15:54:26 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209041#M61135 Raido_Rattameister 2018-04-06T15:54:26Z https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209188#M61170 <P>ACL for crypo-map on Cisco and Proxy IDs on PA must match for VPN to work. While PA isn't too strict about exact matches, policy based FWs like ASA usually are.&nbsp;</P><P>But check logs first, you will find the answer there.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Apr 2018 06:57:49 GMT https://live.paloaltonetworks.com/t5/general-topics/s2s-vpn-between-pa-3020-8-0-to-cisco-asa-9-x-code/m-p/209188#M61170 santonic 2018-04-09T06:57:49Z