ASA 5510 VPN

Reply
Highlighted
L4 Transporter

ASA 5510 VPN

I want to replace a IKE1 VPN serviced by a ASA 5510 with a  IKE2 VPN serviced by the palo alto what i the best approach?

Highlighted
L6 Presenter

Re: ASA 5510 VPN

Do you know other side FW vendor? Thi swill helps you to get a better picture as well as get ready for the caveats (if any). From the Palo Alto side, everything is the same as with any other VPN apart from the IKEv2 option in the IKE Gateway settings. Below nice article explaining about Proxy ID with IKEv2:

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Why-Use-a-VPN-Proxy-ID/ta-p/6...

Highlighted
L4 Transporter

Re: ASA 5510 VPN

@TranceforLife

I will check out your link and are you asking what vendor the ASA 5510 is?

Highlighted
L6 Presenter

Re: ASA 5510 VPN

@jdprovine sorry misunderstood your question. So you want to run VPN IKEv2 between the ASA and PA?  

Highlighted
L4 Transporter

Re: ASA 5510 VPN

@TranceforLife

I am trying to replace the VPN configured on a ASA 5510 with one on the palo alto to access a segragated part of our network

Highlighted
L6 Presenter

Re: ASA 5510 VPN

So one side is Palo and another side is ...?? Tell me please VPN peers with are involved in this set-up

Highlighted
Cyber Elite

Re: ASA 5510 VPN

@jdprovine,

Let me take a crack at this. You have an ASA 5510 that currently serves as a VPN gateway for accessing a certain aspect of your network, you want to use the PA to take it's place (instead of a seperate platform). Is this one of those that you are using the native client on an endpoint device such as a mobile phone or built-in VPN client on the native operating system? 

It that right or does this actually terminate with another network device of some sort, as a site-to-site tunnel? 

 

@TranceforLife

I don't think we are talking about a site-to-site at this point. 

Highlighted
L4 Transporter

Re: ASA 5510 VPN

@BPry

Correct 

As you know the ASA 5510 is end of life and the PA would be better over all, so I would like to get rid of the ASA and use my PA instead. 

 

Highlighted
Cyber Elite

Re: ASA 5510 VPN

@jdprovine,

Okay that's what I though. Since the release of 7.0 PA has had this ability; you'll just need to configure an IKE gateway and actually configure this similarly to what was on the 5510. I'm not sure how exactly this will work with the PA, I've only ever setup IPSec site-to-site tunnels so I'm not exactly sure how it handles multiple client devices connecting to the same gateway. I might engage your SE just to verify that it'll work how you intend. 

 

 

 

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/vpn-features/ikev2-support...

Highlighted
L4 Transporter

Re: ASA 5510 VPN

@BPry

 

yeah I have had site to site tunnels set up between two PA before but not into the internal/segregated section of a network. I am currently reviewing the configuration on the ASA 5510 to get an idea of how it is set up now. Good link I will see if I can contact my SE (last time I tried he had quit and they didn't let me know) and see if he has anything to add

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!