topic Re: PA to Cisco ASA Site to Site IPSEC with source as user id instead of IP address in General Topics

PA to Cisco ASA Site to Site IPSEC with source as user id instead of IP address

MP18 — Fri, 01 Feb 2019 04:51:55 GMT

Need to know is it possible to use Site to Site IPSEC with Cisco ASA and use USer id instead of source address in the Palo Alto?

What we want is instead of source IP address we can config the user id.

Re: PA to Cisco ASA Site to Site IPSEC with source as user id instead of IP address

OtakarKlier — Fri, 01 Feb 2019 21:46:25 GMT

Hello,

Can you expand you your question? If you mean what traffic can pass, then yes. Just make the other side of the VPN a different zone then apply the policies based on zone of VPN and end users, etc.

Hope that helps.

Re: PA to Cisco ASA Site to Site IPSEC with source as user id instead of IP address

MP18 — Fri, 01 Feb 2019 23:25:06 GMT

yes VPN has two zones one for user traffic coming from our side then tunnel zone going to vendor.

I need to apply on our zone user id not the source subnets as they are many.

Re: PA to Cisco ASA Site to Site IPSEC with source as user id instead of IP address

BPry — Sat, 02 Feb 2019 04:02:31 GMT

@MP18,

You'll actually have to spend more time detailing what exactly you want here; because I've now read this a few times and I frankly still have no idea.

If you want user-id for an entire zone, you simply enable user-id on the zone configuration and leave the default 'Included Networks' set to any.

Re: PA to Cisco ASA Site to Site IPSEC with source as user id instead of IP address

MP18 — Sat, 02 Feb 2019 04:06:20 GMT

You got it what i want was user names under user in the security policy.