Cisco Systems VPN Adapter

bcsgroup · ‎01-25-2012

Hi,

I see there is now support for Cisco Systems VPN Adaper however I am trying to figure out what exactly is supported am I now able to connect to the firewall via cisco IPSEC VPN from the Cisco VPN Client software or is this support for something else?

I ask as we have engineers that connect to many sites and global rotect is not geared this way.

Thanks,

bcsgroup · ‎01-26-2012

Thanks for the info.

Any chance I can get some info on how this is done do you just create a portal with these settings or do you have to do the full global protect config?

bmorrison · ‎01-27-2012

@bcsgroup:

although not officially supported, the Cisco VPN Client does work. It does not append the mask/gateway to your client, but you should still have no issues connecting to devices within your local network.

You must configure the Portal/Gateway under Network>GlobalProtect and use a tunnel interface placed inside the appropriate security zone. Remember to create/use your certificates appropriately and have them configured for use on the Gateway(certificate) and Portal(CA, and certificate).

Under Portal:

Create a profile using your local interface (external) and local IP that you wish to use for VPN connectivity. Choose the standard certificate that is signed by the CA used in your Client Configuration, and choose your authentication methods. Under Client Configuration setup a profile using your external IP/mask for connectivity with Priority 1 and choose your Root CA.

Under Gateway:

Ensure that you have tunnel mode chosen and checked Enable IPSec, check Enable X-Auth Support (verify group name and group password), and check Skip Auth on IKE Rekey.

Choose your external Tunnel Gateway Interface and Address used for the VPN/Portal, and under Client configuration make sure you have your DNS, VPN IP-Pool, and Access Route configured.

under Policies>Security:

Ensure that you have a rule above any blocking statements that allow ipsec, ike, ssl, web-browsing, and ciscovpn applications to your VPN Gateway IP.

Using Cisco VPN Client:

setup the connection profile with the Gateway IP, group name, and group password. Connect and enter your credentials.

If you have any issues, enter the log responses here.

BLepenik · ‎04-19-2012

Hi,

I also configured PA to work with CISCO VPN Client and it works OK. The only problem is that the connection get expired after one hour and the client must reconnect. I can not find the setting to change this expiration time. Do you have any idea how to chang this life time ?

singersit · ‎04-23-2012

Hi,

I have managed to configure the Cisco VPN client to work along-side our PA firewalls.

Much better client than Global Protect as it behaves like it should and works with corporate proxy settings as expected!

Thanks for the info.

wscmtts · ‎04-23-2012

lancom,

which PAN-OS version? This bug was fixed in 4.0.8.

33542 – SSL VPN user to IP mappings are being lost after about an hour in an HA configuration when the mappings do not contain information. Issue due to idle timeout and maximum ttl not matching the expiration ttl of the SSL VPN connections.

Cisco Systems VPN Adapter

Cisco Systems VPN Adapter

Show your appreciation!