Connecting 3rd-Party VPN Device to PA-3220

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Connecting 3rd-Party VPN Device to PA-3220

L1 Bithead

Hi. Wanted to ask for opinions, suggestions, and experience on this. We have a Cisco ASA VPN Device from our vendor and we'll need to connect this to our PA-3220 FW. So basically, Internet --> PA3220 ---> ASA VPN --> LAN. This ASA will be inside our network and NOT remote. I would like to know if there is a way to connect this and make it work without creating an IPSec tunnel? Any suggestion will be greatly appreciated. Thank you!




L7 Applicator

Hi @Gio_Rivera 

What about a simple layer 3 setup (as you are asking for something without vpn)? You create a either a vlan between the two firewalls or then route the network behind the ASA through your existing internal network towards the 3220 where you have the internetconnection.

Hi vsys_remo

Thank you for your suggestion. It's very interesting coz while awaiting for replies, I'm doodling different config/placement scenarios on paper and one of them is what you have suggested. Now that I know I'm not going crazy and someone has the same theory, I will definitely test your suggestion later this evening. Thank you very much for your suggestion.

Cyber Elite
Cyber Elite


We actually have an office setup like this because they were using the ASA for VPN for a bit. Essentially how it was configured was how @Remo already mentioned; the ASA was a standalone layer3 connection that didn't perform NAT on the AnyConnect addresses and just routed them to the layer3 interface with an 'AnyConnect' zone on the firewall. Then the firewall simply has static routes telling it to route traffic for the AnyConnect IP pools back to the ASA. 

This configuration essentially allowed us to "ignore" the ASA and treat it as a termination point. All security policies were handled by the PAN firewall and the ASA was essentially just a dumb VPN concentrator for AnyConnect purposes. 

L1 Bithead


@BPry  Thank you for sharing your experience on this. And appreciated both @Remo  of your insights. I have made the changes in the firewall and connected one of the two VPN devices for testing. Yes sir I have two of these third-party VPN devices that I need to connect to 3220; both came pre-configured so I can't even see its configuration. I asked the vendors to recheck their configs but I have not heard any feedback yet. Again thank you for both and I will update when successful.  Many Thanks!

L1 Bithead


Followed your suggestions (truly appreciated you guys for that) seems to work, but our vendor has had issues with configurations so we ended up connecting the ASA's WAN interface directly to a secondary ISP (slower and limited bandwidth) that we use for backup. Long story short, ISP --> wan-ASA-lan-->PA3220.


All things considered, I appreciated the suggestions because I gained additional knowledge from you guys. Many thanks!

L1 Bithead

If I may ask for additional help, suggestions and guidance on a different situation but still related to a 3rd party device, particularly a CheckPoint VPN Router. Using layer 3 setup suggested by @Remo and @BPry the goal is to make this CheckPoint to go out to the internet.

Backstory: we used to have an edge switch that sits between ISP and PA3220. CheckPoint router was directly connected to that edge switch, and ISP is doing all routing and NATing so that traffic hits directly the CheckPoint's WAN interface with IP, which was also the public IP address for this device. Our ISP upgraded their routers late last year and the only way (after many nights across a few months of testing) to connect us back to the internet was to remove the edge switch, thereby connecting the PA3220 directly to ISP, and so we did.

Issue now is: Using VLAN to guide the traffic behind CP to 3220 works, but it won't go out to the internet. The Security Policy Rule I created to allow this traffic reports no Hit Count. I've tested this several ways with variations in NATing, Security Policies, and Static Routes but none seems to work, including changing the CP's WAN interface IP (as suggested by Palo Alto Tech Support) but still nothing works. I'm running out options, ideas and hair, and would greatly appreciate any suggestions on how the Static Routes, Sec Policies, or NAT (or no NAT) should look like given the topology below. Many thanks in advance.


Hi @Gio_Rivera 

To be honest it is difficult for me to understand the actual issue here. So I start with some questions:

  • What is the1/17 used for on the PA-3220?
  • Why do you connect the PA to SW1 instead of only the core?
  • Is your core a layer 3 or layer 2 device?
  • On the checkpoint do you see the mac address of the PA-3220 in the arp table on the WAN interface?
  • On the PA-3220 do you see the mac address in the arp table on eth1/7?
  • What routed did you configure on the PA-3220 and on the checkpoint pointing to each other?
  • Did you check the mac address tables on sw1, sw2 and core for vlan 1000? Do you see the mac addresses of the PA-3220 and the checkpoint there?
  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!