Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

L1 Bithead

Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Hi Experts,

    Trying to  setup Palo Alto VM series in Microsoft Azure ( 3 interface Mgmt ,Trust and Untrust) and  only public ip is assigned to Management interface .
 
In order to create the Site to Site VPN ipsec b/w Cisco ASAv and Pao Alto Fw the only interface available is Mgmt which has public ip but the Palo Alto Gui is not allowing me to use Mgmt interface as local IP or source interface .
 
And if i try to assign public ip to any other interface of Palo Alto then Azure is giving an error mentioned below.
 
 
Inline image 1
 
 
 
Just want to understand how we can create site to site ipsec vpn on Palo Alto with single public ip on Mgmt interface , as the same setup is working perfect on ASAv and we can use Mgmt interface as source in ASAv.
 
I can share the setup if someone wants to take a look.
 
 
 
 

wanclouds@panvwanclouds> show config running 

 

config {

  mgt-config {

    users {

      admin {

        phash *;

        permissions {

          role-based {

            superuser yes;

          }

        }

      }

      wanclouds {

        phash $1$buaddxeg$F9xAm862FkTC869HKCU1e1;

        permissions {

          role-based {

            superuser yes;

          }

        }

      }

    }

  }

  shared {

    application;

    application-group;

    service;

    service-group;

    botnet {

      configuration {

        http {

          dynamic-dns {

            enabled yes;

            threshold 5;

          }

          malware-sites {

            enabled yes;

            threshold 5;

          }

          recent-domains {

            enabled yes;

            threshold 5;

          }

          ip-domains {

            enabled yes;

            threshold 10;

          }

          executables-from-unknown-sites {

            enabled yes;

            threshold 5;

          }

        }

        other-applications {

          irc yes;

        }

        unknown-applications {

          unknown-tcp {

            destinations-per-hour 10;

            sessions-per-hour 10;

            session-length {

              maximum-bytes 100;

              minimum-bytes 50;

            }

          }

          unknown-udp {

            destinations-per-hour 10;

            sessions-per-hour 10;

            session-length {

              maximum-bytes 100;

              minimum-bytes 50;

            }

          }

        }

      }

      report {

        topn 100;

        scheduled yes;

      }

    }

  }

  devices {

    localhost.localdomain {

      network {

        interface {

          ethernet {

            ethernet1/1 {

              layer3 {

                ipv6 {

                  neighbor-discovery {

                    router-advertisement {

                      enable no;

                    }

                  }

                }

                ndp-proxy {

                  enabled no;

                }

                ip {

                  10.0.1.4/24;

                }

                lldp {

                  enable no;

                }

              }

            }

            ethernet1/2 {

              layer3 {

                ipv6 {

                  neighbor-discovery {

                    router-advertisement {

                      enable no;

                    }

                  }

                }

                ndp-proxy {

                  enabled no;

                }

                lldp {

                  enable no;

                }

                ip {

                  10.0.2.4/24;

                }

              }

            }

          }

          tunnel {

            units {

              tunnel.1 {

                comment ipsec-s-s;

              }

            }

          }

        }

        profiles {

          monitor-profile {

            default {

              interval 3;

              threshold 5;

              action wait-recover;

            }

          }

        }

        ike {

          crypto-profiles {

            ike-crypto-profiles {

              default {

                encryption [ 3des aes-128-cbc];

                hash sha1;

                dh-group group2;

                lifetime {

                  hours 8;

                }

              }

              Suite-B-GCM-128 {

                encryption aes-128-cbc;

                hash sha256;

                dh-group group19;

                lifetime {

                  hours 8;

                }

              }

              Suite-B-GCM-256 {

                encryption aes-256-cbc;

                hash sha384;

                dh-group group20;

                lifetime {

                  hours 8;

                }

              }

            }

            ipsec-crypto-profiles {

              default {

                esp {

                  encryption [ 3des aes-128-cbc];

                  authentication sha1;

                }

                dh-group group2;

                lifetime {

                  hours 1;

                }

              }

              Suite-B-GCM-128 {

                esp {

                  encryption aes-128-gcm;

                  authentication none;

                }

                dh-group group19;

                lifetime {

                  hours 1;

                }

              }

              Suite-B-GCM-256 {

                esp {

                  encryption aes-256-gcm;

                  authentication none;

                }

                dh-group group20;

                lifetime {

                  hours 1;

                }

              }

            }

            global-protect-app-crypto-profiles {

              default {

                encryption aes-128-cbc;

                authentication sha1;

              }

            }

          }

          gateway {

            ike-peer-csr {

              authentication {

                pre-shared-key {

                  key -AQ==KUGt+eZobgDsoMJzqj4Pf48NH0w=SFAlEHCj9+AttIUAYLgRUA==;

                }

              }

              protocol {

                ikev1 {

                  dpd {

                    enable yes;

                  }

                }

                ikev2 {

                  dpd {

                    enable yes;

                  }

                }

              }

              protocol-common {

                nat-traversal {

                  enable yes;

                }

                fragmentation {

                  enable no;

                }

              }

              local-address {

                interface ethernet1/1;

                ip 10.0.1.4/24;

              }

              peer-address {

                ip 52.34.x.x;

              }

              local-id {

                id 10.0.0.4;

                type ipaddr;

              }

              peer-id {

                id 172.31.16.49;

                type ipaddr;

              }

            }

          }

        }

        qos {

          profile {

            default {

              class {

                class1 {

                  priority real-time;

                }

                class2 {

                  priority high;

                }

                class3 {

                  priority high;

                }

                class4 {

                  priority medium;

                }

                class5 {

                  priority medium;

                }

                class6 {

                  priority low;

                }

                class7 {

                  priority low;

                }

                class8 {

                  priority low;

                }

              }

            }

          }

        }

        virtual-router {

          default {

            protocol {

              bgp {

                enable no;

                dampening-profile {

                  default {

                    cutoff 1.25;

                    reuse 0.5;

                    max-hold-time 900;

                    decay-half-life-reachable 300;

                    decay-half-life-unreachable 900;

                    enable yes;

                  }

                }

                routing-options {

                  graceful-restart {

                    enable yes;

                  }

                }

              }

            }

            ecmp {

              algorithm {

                ip-modulo;

              }

            }

            interface [ ethernet1/1 ethernet1/2 tunnel.1];

            routing-table {

              ip {

                static-route {

                  CSR-AWS-SYED {

                    path-monitor {

                      enable no;

                      failure-condition any;

                      hold-time 2;

                    }

                    bfd {

                      profile None;

                    }

                    interface tunnel.1;

                    metric 10;

                    destination 192.168.2.0/24;

                    route-table {

                      unicast;

                    }

                  }

                }

              }

            }

          }

        }

        tunnel {

          ipsec {

            ipsec-tunnel-1 {

              auto-key {

                ike-gateway {

                  ike-peer-csr;

                }

                proxy-id {

                  local-remote-subnet {

                    protocol {

                      any;

                    }

                    local 10.0.2.0/24;

                    remote 192.168.2.0/24;

                  }

                }

              }

              tunnel-monitor {

                enable no;

              }

              tunnel-interface tunnel.1;

            }

          }

        }

      }

      deviceconfig {

        system {

          type {

            dhcp-client {

              send-hostname yes;

              send-client-id no;

              accept-dhcp-hostname no;

              accept-dhcp-domain no;

            }

          }

          update-server updates.paloaltonetworks.com;

          update-schedule {

            threats {

              recurring {

                weekly {

                  day-of-week wednesday;

                  at 01:02;

                  action download-only;

                }

              }

            }

          }

          timezone US/Pacific;

          service {

            disable-telnet yes;

            disable-http yes;

          }

          ip-address 10.0.0.4;

          hostname panvwanclouds;

          netmask 255.255.255.0;

          default-gateway 10.0.0.1;

          dns-setting {

            servers {

              primary 168.63.129.16;

            }

          }

        }

        setting {

          config {

            rematch yes;

          }

          management {

            hostname-type-in-syslog FQDN;

            initcfg {

              type {

                dhcp-client {

                  send-hostname yes;

                  send-client-id no;

                  accept-dhcp-hostname no;

                  accept-dhcp-domain no;

                }

              }

              ip-address 10.0.0.4;

              netmask 255.255.255.0;

              default-gateway 10.0.0.1;

              dns-primary 168.63.129.16;

              username wanclouds;

              hostname panvwanclouds;

            }

          }

        }

      }

      vsys {

        vsys1 {

          application;

          application-group;

          zone {

            untrust {

              network {

                layer3 [ ethernet1/2 tunnel.1 ethernet1/1];

              }

            }

            trust {

              network {

                layer3;

              }

            }

          }

          service;

          service-group;

          schedule;

          rulebase {

            nat {

              rules;

            }

            security {

              rules {

                ANY {

                  to any;

                  from any;

                  source any;

                  destination any;

                  source-user any;

                  category any;

                  application any;

                  service application-default;

                  hip-profiles any;

                  action allow;

                }

              }

            }

          }

          import {

            network {

              interface [ ethernet1/1 ethernet1/2 tunnel.1];

            }

          }

        }

      }

    }

  }

}

 

wanclouds@panvwanclouds> 

L6 Presenter

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Hello @faizullah,

 

Your image is not uploaded properly. Please, can you repost it again? l am sure we can figure it out

 

Thx,

Myky

L1 Bithead

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Screen Shot 2017-02-25 at 1.05.13 AM.pngerrorScreen Shot 2017-02-25 at 1.05.13 AM.pngError while selecting 2nd public ip.

L1 Bithead

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Screen Shot 2017-02-25 at 1.05.13 AM.pngerrorScreen Shot 2017-02-25 at 1.05.13 AM.pngError while selecting 2nd public ip.

Tags (1)
L1 Bithead

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Thanks MyKy for looking into it please let me know if u need anything else , the only use case i want to understand here how we can configure Site-to-Site IPsec VPN b/w Palo Alto Device hosted in Azure cloud with only public IP on Mgmt Interface with ASAv hosted on Azure or AWS as ASAv honors use of MGMT interface as local address or source interface in S-S ipsec vpn.

 
Regards
Syed.
L6 Presenter

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Hello @faizullah,

 

As far as l am aware MGMT interface it is purely for the device management out-of-band traffic (getting updates, manage the device etc). To have an S2S VPN you still have to configure policy ( Palo is a zone-based firewall where Cisco ASA is an interface based). Since you cannot add your MGMT interface to the policy think it is not possible in your scenario. However, you still can manage firewall using any other interface with MGMT profiles applied allowing (HTTPS or/ and SSH).

 

Thx,

Myky

L1 Bithead

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

If Mgmt interface is only control plane traffic how we can use Palo Alto FW deployed in AWS cloud with single public IP for S-S ipsec VPN tunnel .

 

I have checked this thread and used Elastic Public to asssociate with eth1 but still not working and is getting stuck in Maintaence mode .

 

 

https://live.paloaltonetworks.com/t5/AWS-Azure-Discussions/Azure-VM-Series-and-mgmt-interface-swap/m...

 

 

Will really appreciate if someone can tell me if S-S IPsec vpn possible for PaloALto deployed in AWS with Single IP or not .

L2 Linker

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

You are going to have to set an unstrust interface to be public facing and terminate the IPsec tunnel there, and then apply a management profile to it. Using the only public IP for your management interface will not work for setting up a tunnel. 

****************************************************
ACE 7.0, PCNSE7
Palo Alto Networks Guru

Re: Site to Site VPN IPsec b/w Palo Alto and Cisco with only public IP as Mgmt interface on Azure

Hello,

 

Azure announced last month support for multiple public IPs per instance: https://azure.microsoft.com/en-us/updates/ga-multiple-ips-per-nic/

 

You can now assign a public IP to the VM-Series management interface and a separate public IP address to the dataplane and use that second IP to build your IPsec tunnel.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!