Sample IPSec tunnel configuration - Palo Alto Networks firewall to Cisco ASA

Sample IPSec tunnel configuration - Palo Alto Networks firewall to Cisco ASA

61523
Created On 09/25/18 17:15 PM - Last Modified 06/13/23 01:50 AM


Resolution


The following is a sample IPSec tunnel configuration with a Palo Alto Networks firewall connecting to a Cisco ASA firewall.

 

Phase 1 Proposal

Cisco ASA:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

 

Palo Alto Networks firewall:

<ike-crypto-profiles>

   <entry name="default">

      <encryption>

         <member>aes192</member>

         <member>aes256</member>

         <member>aes128</member>

         <member>3des</member>

      </encryption>

   <hash>

      <member>sha1</member>

      <member>md5</member>

   </hash>

   <dh-group>

      <member>group2</member>

      <member>group1</member>

   </dh-group>

   <lifetime>

      <hours>24</hours>

   </lifetime>

   </entry>

</ike-crypto-profiles>

 

Phase 2 Proposal

Cisco ASA:

crypto ipsec transform-set palo-alto esp-aes-256 esp-sha-hmac

crypto map outside 20 set transform-set palo-alto

 

Palo Alto Networks firewall:

<ipsec-crypto-profiles>

   <entry name="default">

      <esp>

         <encryption>

            <member>aes256</member>

         </encryption>

         <authentication>

            <member>sha1</member>

         </authentication>

      </esp>

      <dh-group></dh-group>

      <lifetime>

         <hours>24</hours>

      </lifetime>

   </entry>

</ipsec-crypto-profiles>

<crypto-profiles>

 

Gateway

Cisco ASA:

crypto map outside 20 set peer 10.9.3.8

tunnel-group 10.9.3.8 type ipsec-l2l

tunnel-group 10.9.3.8 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold infinite

prompt hostname context

Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe

 

Palo Alto Networks firewall:

<gateway>

   <entry name="XYZ.ASA">

      <peer-address>

         <ip>10.88.12.253</ip>

      </peer-address>

      <local-address>

         <ip>10.9.3.8/24</ip>

         <interface>ethernet1/1</interface>

      </local-address>

      <authentication>

         <pre-shared-key>

            <key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>

         </pre-shared-key>

      </authentication>

      <protocol>

         <ikev1>

            <exchange-mode>auto</exchange-mode>

            <ike-crypto-profile>default</ike-crypto-profile>

            <dpd>

               <enable>yes</enable>

               <interval>10</interval>

               <retry>3</retry>

            </dpd>

         </ikev1>

      </protocol>

   </entry>

</gateway>

 

Phase 2 - Proxy ID/tunnel

Cisco ASA:

access-list ASAtoPAN extended permit ip 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0.0

crypto map outside 20 match address ASAtoPAN

 

Palo Alto Networks firewall:

<tunnel>

   <ipsec>

      <entry name="XYZTunnel">

         <anti-replay>no</anti-replay>

         <copy-tos>no</copy-tos>

         <tunnel-monitor>

            <enable>no</enable>

         </tunnel-monitor>

         <tunnel-interface>tunnel.1</tunnel-interface>

         <auto-key>

            <ike-gateway>

               <entry name="XYZ.ASA"/>

            </ike-gateway>

            <ipsec-crypto-profile>default</ipsec-crypto-profile>

            <proxy-id>

               <local>10.61.0.0/16</local>

               <remote>10.211.168.0/22</remote>

            </proxy-id>

          </auto-key>

       </entry>

    </ipsec>

</tunnel>

 

 

Note: Protocol field under proxy-ID should match on both sides.

 

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE6CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language