S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

Reply
L1 Bithead

S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

First thing,

I know there are postings about this out on the web and community about this. The problem I'm having is everything out there is on old ASA code. 

I'm trying to understand the configuration on the PA. I have my tunnel interface configured, IKE Crypto, IPSec Crypto, IKE Gateway, and IPSec Tunnel. I can't get the Phase 1 to come up. I've verified the DH Groups, Authentication, and Encryption setting are the same on both sides. Can someone point me in a direction where they think my problem might be?

Thanks for any help given,

L5 Sessionator

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

Checking (and posting) logs would be a good start.

L7 Applicator

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

@brian.schroeder,

Did you verify that your proxy-ids are setup correctly. As @santonic stated logs would be the thing that will tell you what's actually happening. 

L1 Bithead

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

I'll be pulling those soon.

L1 Bithead

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

So that's one of the things I was needing to understand.

Am I creating a PID for every host that has access over the tunnel?

Or does a subnet range work for this?

On the ASA side I have an ACL just allowing a few host to access the tunnel.

L7 Applicator

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

@brian.schroeder,

Cisco is policy-based while the Palo Alto is route-based. The Palo Alto is essentially defaulting to 0.0.0.0/0 source and 0.0.0.0/0 destiantion. If they don't match things aren't going to form correctly. You can use a network range as long as that's what the ASA is sending; if they don't match you'll still have an issue. 

 

Here's two good articles about proxy-ids HERE and HERE

L7 Applicator

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

Initiate vpn traffic from ASA side and check logs on Palo.

Monitor > System

If you can't identify issue yourself then share logs here.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Highlighted
L5 Sessionator

Re: S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

ACL for crypo-map on Cisco and Proxy IDs on PA must match for VPN to work. While PA isn't too strict about exact matches, policy based FWs like ASA usually are. 

But check logs first, you will find the answer there. 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!