Cisco ASA to PaloAlto VPN conversion

Reply
Highlighted
L0 Member

Cisco ASA to PaloAlto VPN conversion

Has anyone developed step by step instructions for migrating site to site VPN's from a Cisco ASA to a PaloAlto 2050?

I have approximately 30 VPN's to convert and currently running in VWire mode so all the VPN's will need to be added prior to moving off VWire and eliminating the Cisco.

Any help would be appreciated as far as best practices.

Thanks in advance.

L5 Sessionator

Re: Cisco ASA to PaloAlto VPN conversion

Please contact your Sales Engineer or the Dev Centre team to assist you with the migration. In order for you to run the VPNs on the PANFW, you have to convert the vwire to layer 3 interface mode.

Best regards,

Karthik RP

L0 Member

Re: Cisco ASA to PaloAlto VPN conversion

I understand that the vpn's could not be active until we get off of VWire mode, but we are a hospital operating 24/7 with data continually being sent over these tunnels.

I need to have these tunnels generated on the PaloAlto in advance of moving off of VWire so that when I move the cables over to production these tunnels go live with a minimum of effort.

Thanks

Randy

L5 Sessionator

Re: Cisco ASA to PaloAlto VPN conversion

Good Morning Randy,

You can configure multiple tunnel sub interface for each of the VPNs, assign them to a zone ( like VPN zone ), and configure routes for the remote networks behind each peer, via these tunnel sub interfaces. If the ASA is configured with the  Virtual tunnel interfaces ( to use route based VPNs ), the migration should be pretty simple.

You then have to

a) Configure the untrust interface on the PANFW, through which the firewall will establish the tunnel, and transmit and receives the ESP packets. Configure a policy from untrust to untrust, permitting applications ike, ipsec ( and ciscovpn if the remote peers happen to be ASA devices )

b) Configure the trust interface/interfaces from where the internal hosts at the PANFW side are reachable on. Configure polices from Trust to VPN and also from VPN to Trust

BR,

Karthik

L5 Sessionator

Re: Cisco ASA to PaloAlto VPN conversion

You can refer to the below link, explaining the VPN configuration. You can also search our documentation on VPN configuration.

https://live.paloaltonetworks.com/docs/DOC-1163

Best regards,

Karthik

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!