Has anyone developed step by step instructions for migrating site to site VPN's from a Cisco ASA to a PaloAlto 2050?
I have approximately 30 VPN's to convert and currently running in VWire mode so all the VPN's will need to be added prior to moving off VWire and eliminating the Cisco.
Any help would be appreciated as far as best practices.
Thanks in advance.
I understand that the vpn's could not be active until we get off of VWire mode, but we are a hospital operating 24/7 with data continually being sent over these tunnels.
I need to have these tunnels generated on the PaloAlto in advance of moving off of VWire so that when I move the cables over to production these tunnels go live with a minimum of effort.
Good Morning Randy,
You can configure multiple tunnel sub interface for each of the VPNs, assign them to a zone ( like VPN zone ), and configure routes for the remote networks behind each peer, via these tunnel sub interfaces. If the ASA is configured with the Virtual tunnel interfaces ( to use route based VPNs ), the migration should be pretty simple.
You then have to
a) Configure the untrust interface on the PANFW, through which the firewall will establish the tunnel, and transmit and receives the ESP packets. Configure a policy from untrust to untrust, permitting applications ike, ipsec ( and ciscovpn if the remote peers happen to be ASA devices )
b) Configure the trust interface/interfaces from where the internal hosts at the PANFW side are reachable on. Configure polices from Trust to VPN and also from VPN to Trust
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!