ASA 5510 VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ASA 5510 VPN

L4 Transporter

I want to replace a IKE1 VPN serviced by a ASA 5510 with a  IKE2 VPN serviced by the palo alto what i the best approach?

16 REPLIES 16

L6 Presenter

Do you know other side FW vendor? Thi swill helps you to get a better picture as well as get ready for the caveats (if any). From the Palo Alto side, everything is the same as with any other VPN apart from the IKEv2 option in the IKE Gateway settings. Below nice article explaining about Proxy ID with IKEv2:

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Why-Use-a-VPN-Proxy-ID/ta-p/6...

@TranceforLife

I will check out your link and are you asking what vendor the ASA 5510 is?

@jdprovine sorry misunderstood your question. So you want to run VPN IKEv2 between the ASA and PA?  

@TranceforLife

I am trying to replace the VPN configured on a ASA 5510 with one on the palo alto to access a segragated part of our network

So one side is Palo and another side is ...?? Tell me please VPN peers with are involved in this set-up

@jdprovine,

Let me take a crack at this. You have an ASA 5510 that currently serves as a VPN gateway for accessing a certain aspect of your network, you want to use the PA to take it's place (instead of a seperate platform). Is this one of those that you are using the native client on an endpoint device such as a mobile phone or built-in VPN client on the native operating system? 

It that right or does this actually terminate with another network device of some sort, as a site-to-site tunnel? 

 

@TranceforLife

I don't think we are talking about a site-to-site at this point. 

@BPry

Correct 

As you know the ASA 5510 is end of life and the PA would be better over all, so I would like to get rid of the ASA and use my PA instead. 

 

@jdprovine,

Okay that's what I though. Since the release of 7.0 PA has had this ability; you'll just need to configure an IKE gateway and actually configure this similarly to what was on the 5510. I'm not sure how exactly this will work with the PA, I've only ever setup IPSec site-to-site tunnels so I'm not exactly sure how it handles multiple client devices connecting to the same gateway. I might engage your SE just to verify that it'll work how you intend. 

 

 

 

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/vpn-features/ikev2-support...

@BPry

 

yeah I have had site to site tunnels set up between two PA before but not into the internal/segregated section of a network. I am currently reviewing the configuration on the ASA 5510 to get an idea of how it is set up now. Good link I will see if I can contact my SE (last time I tried he had quit and they didn't let me know) and see if he has anything to add

@jdprovine,

When I started at my current organization they had installed PA years before and had never contacted the SE outside of deployment. It took a while for them to realize that the SE could do more then just try and sell you product 😉

@BPry

My first SE was very good but everyone after has told me to contact TAC and been little if any help to me

@jdprovine,

Suprising enough I haven't had that issue with PA. Now with Cisco on the other hand my current SE is terrible at answering anything, even simple questions. 

@BPry Thank you for step in and clear things out. l have a luck of the ASA knowledge as well as having one of those days 😄

Instead of creating a new thread I thought I would revive this one and see if PA has made any headway on allowing the used of ike2 and l2tp with global protect

  • 4498 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!