I know there are postings about this out on the web and community about this. The problem I'm having is everything out there is on old ASA code.
I'm trying to understand the configuration on the PA. I have my tunnel interface configured, IKE Crypto, IPSec Crypto, IKE Gateway, and IPSec Tunnel. I can't get the Phase 1 to come up. I've verified the DH Groups, Authentication, and Encryption setting are the same on both sides. Can someone point me in a direction where they think my problem might be?
Thanks for any help given,
So that's one of the things I was needing to understand.
Am I creating a PID for every host that has access over the tunnel?
Or does a subnet range work for this?
On the ASA side I have an ACL just allowing a few host to access the tunnel.
Cisco is policy-based while the Palo Alto is route-based. The Palo Alto is essentially defaulting to 0.0.0.0/0 source and 0.0.0.0/0 destiantion. If they don't match things aren't going to form correctly. You can use a network range as long as that's what the ASA is sending; if they don't match you'll still have an issue.
Initiate vpn traffic from ASA side and check logs on Palo.
Monitor > System
If you can't identify issue yourself then share logs here.
ACL for crypo-map on Cisco and Proxy IDs on PA must match for VPN to work. While PA isn't too strict about exact matches, policy based FWs like ASA usually are.
But check logs first, you will find the answer there.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!