01-15-2013 05:37 PM
I need guidance on how I could go about working on the configuration. there is only two interfaces/zones on the Firewall, untrust and trust.
The trusted interface leg is connected to the internal network segment and the external interface is connected to the router facing the Telecoms .
01-15-2013 06:35 PM
Hello, It may not be this simple but here are the basics...1st you need to create a tunnel interface that belongs to the zone that you want your vpn connections to terminate to. Some people use the trust zone others create a separate zone. 2nd you need to create an iKE gateway that uses your physical untrusted interface that will connect to the peer, this is also where you setup your Peers IP address and the pre-shared key. 3rd create an IPSec tunnel bound to the tunnel interface that you created and select the IKE gateway you created. The key type is usually auto. 4th set up your proxy IDs. ..These should be the source and destination network address for the networks on either end of the tunnel. This will be the inverse of what you have on the Cisco end..known as the interesting traffic or encryption domain.
01-15-2013 07:26 PM
Hi jteetsel,
Very much thanks for your reply. I am trying to migrate a Cisco Pix to a Palo Alto Firewall and its my fist time working on this. Do you have any experience in this? Kindly share more.
01-15-2013 07:33 PM
Hi jteetsel,
I will like to check if i am required to configure VPN Rules to allow the IPSEc tunnels to be established cause I notice a lot of access list
created on the Cisco Pix Firewall. Kindly advise, thanks!
Regards,
Raymond Teo
01-16-2013 08:43 AM
Hi Raymond,
Please see the document below for the configuration of both cisco and Palo Alto firewall for creating IPSec VPN.
https://live.paloaltonetworks.com/docs/DOC-2579
Hopefully this helps.
Thank you
Numan
01-18-2013 11:26 AM
Hi Numan,
I am wondering if you know of a easy migration method whereby you are required to configure tons of IPSEC VPN tunnels on Palo Alto Firewall. I find the manual method of using the GUI to create the tunnels feasible only if there isn't a lot of tunnels. Is there a way to use command line to create VPN tunnels including phase 1 and phase 2 config easily? Kindly advise pls or anyone here in the forums that has done that?
Thank you,
Raymond Teo
01-18-2013 12:04 PM
The CLI guides for the various versions of PANOS should have what you're looking for... as an example there's a 'set network ike' section starting on page 95 and there's an ipsec subcommand of 'set network tunnel' on page 121 of the PANOS 4.1 CLI guide. There are lots and lots of options and subcommands in the CLI guide... you should be able to piece together commands that build IPSEC and IKE configs for your tunnels.
01-21-2013 08:24 AM
Hi egearhart,
Thanks. Will you be able to share any sample scripts or command line by sending them to my email at raymondteo79@yahoo.com.sg?
Or please state down some specific examples of how i could accomplish using cli to configure many VPN Tunnels?
01-21-2013 07:11 PM
Raymond, I am not sure that anyone has sample scripts. We all would start with reading the Admin Guide and then copying/pasting the information and building the scripts/command from scratch.
My recommendation is to take a single VPN that you have gotten configured via the GUI and then look at the command structure to build that VPN via the CLI and then you can easily duplicate most of the Phase1 and Phase2 information.
You biggest hurdle may be ensuring that your ProxyIDs match between your remote Cisco and Palo Alto FWs.
Good Luck!!
01-23-2013 07:23 AM
scantwell's reply covers everything I was thinking... getting a tunnel built using the web GUI and then using Palo Alto's config audit feature to determine the backend CLI commands that are used to build a tunnel is exactly the approach I'd take to scripting tunnel config, with the CLI guide as a command reference if needed
01-24-2013 10:15 AM
Beside the CLI guide you can also try the following to determine the needed commands:
Login via ssh
set cli config-output-format set
change to configure mode
use the 'show' command to display the current configuration
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
