05-26-2021 11:01 AM
Hi. Wanted to ask for opinions, suggestions, and experience on this. We have a Cisco ASA VPN Device from our vendor and we'll need to connect this to our PA-3220 FW. So basically, Internet --> PA3220 ---> ASA VPN --> LAN. This ASA will be inside our network and NOT remote. I would like to know if there is a way to connect this and make it work without creating an IPSec tunnel? Any suggestion will be greatly appreciated. Thank you!
Gio
05-26-2021 12:47 PM
Hi @Gio_Rivera
What about a simple layer 3 setup (as you are asking for something without vpn)? You create a either a vlan between the two firewalls or then route the network behind the ASA through your existing internal network towards the 3220 where you have the internetconnection.
05-26-2021 02:05 PM
Hi vsys_remo
Thank you for your suggestion. It's very interesting coz while awaiting for replies, I'm doodling different config/placement scenarios on paper and one of them is what you have suggested. Now that I know I'm not going crazy and someone has the same theory, I will definitely test your suggestion later this evening. Thank you very much for your suggestion.
05-26-2021 06:31 PM
We actually have an office setup like this because they were using the ASA for VPN for a bit. Essentially how it was configured was how @Remo already mentioned; the ASA was a standalone layer3 connection that didn't perform NAT on the AnyConnect addresses and just routed them to the layer3 interface with an 'AnyConnect' zone on the firewall. Then the firewall simply has static routes telling it to route traffic for the AnyConnect IP pools back to the ASA.
This configuration essentially allowed us to "ignore" the ASA and treat it as a termination point. All security policies were handled by the PAN firewall and the ASA was essentially just a dumb VPN concentrator for AnyConnect purposes.
05-28-2021 08:22 AM
@BPry Thank you for sharing your experience on this. And appreciated both @Remo of your insights. I have made the changes in the firewall and connected one of the two VPN devices for testing. Yes sir I have two of these third-party VPN devices that I need to connect to 3220; both came pre-configured so I can't even see its configuration. I asked the vendors to recheck their configs but I have not heard any feedback yet. Again thank you for both and I will update when successful. Many Thanks!
07-16-2021 07:17 AM
Revisiting....
Followed your suggestions (truly appreciated you guys for that) seems to work, but our vendor has had issues with configurations so we ended up connecting the ASA's WAN interface directly to a secondary ISP (slower and limited bandwidth) that we use for backup. Long story short, ISP --> wan-ASA-lan-->PA3220.
All things considered, I appreciated the suggestions because I gained additional knowledge from you guys. Many thanks!
07-16-2021 08:02 AM
If I may ask for additional help, suggestions and guidance on a different situation but still related to a 3rd party device, particularly a CheckPoint VPN Router. Using layer 3 setup suggested by @Remo and @BPry the goal is to make this CheckPoint to go out to the internet.
Backstory: we used to have an edge switch that sits between ISP and PA3220. CheckPoint router was directly connected to that edge switch, and ISP is doing all routing and NATing so that traffic hits directly the CheckPoint's WAN interface with IP 10.162.1.12, which was also the public IP address for this device. Our ISP upgraded their routers late last year and the only way (after many nights across a few months of testing) to connect us back to the internet was to remove the edge switch, thereby connecting the PA3220 directly to ISP, and so we did.
Issue now is: Using VLAN to guide the traffic behind CP to 3220 works, but it won't go out to the internet. The Security Policy Rule I created to allow this traffic reports no Hit Count. I've tested this several ways with variations in NATing, Security Policies, and Static Routes but none seems to work, including changing the CP's WAN interface IP (as suggested by Palo Alto Tech Support) but still nothing works. I'm running out options, ideas and hair, and would greatly appreciate any suggestions on how the Static Routes, Sec Policies, or NAT (or no NAT) should look like given the topology below. Many thanks in advance.
07-16-2021 12:38 PM
Hi @Gio_Rivera
To be honest it is difficult for me to understand the actual issue here. So I start with some questions:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
