ipsec

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ipsec

L4 Transporter

Hi
Internet edge firewall is cisco asa .
Behind Palo alto running in virtual vire mode.
for some reason ipsec users cannot connet to outside .
What we need to be done at palo alto side ?
Thanks

 

9 REPLIES 9

L4 Transporter

 

Hi Sib,

 

Do you observe the VPN negotiation failing or only the traffic is not passing through after the VPN comes up ?

 

Please make sure that Palo alto is passthrough for the IPSEC :

https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuring-the-Palo-Alto-Networks-Devic...

 

If this does not help, please check what traffic is being dropped by the firewall for the user IPs from the internal network and 

the IP they are trying to connect to. You may monitor the application in case strict rules have been used to application

control.

 

 

Hope this helps !

Hi,

Thanks for the reply , 

In my case  what will be the source ip address , i am using cisco client  to connect out side . 

?

 

@sib2017  If the VPN negotiations itself are failing, then you sould see the request coming from the IP of the PC.

On the PA, you may check if any traffic is denied/dropped between the IP of the PC and the IP corresponding to the destination IP. Packet captures between these IPs would help.

 

 

Hi,

The tunnel is up and running , after tunnel is up  i cannot access anything . 

what does it mean 

Thanks a lot of your support

@sib2017  If we assume that the tunnel is setup fine and only the traffic is failing, you should see
UDP/ESP traffic on the Palo alto. Please check cisco documentation which exact port they use for this traffic.
ESP protocol number is 50, you may filter with this as well.

From your description, I think you are saying that the ASA user access tunnels establish correctly.  

 

And that the users are setup without split tunnel so internet access will be from the ASA.

 

And that users are blocked from internet access after connecting.

 

If this is true, you would need to look at your outbound internet access policy setup on the PA.  Find the zone assignment for the address pool you assign to users on the ASA.  

 

Make sure there is an outbound from this zone to untrust policy on the PA.

Make sure there is a NAT policy from this address and zone to untrust on the PA.

 

Check the logs on the PA for these source addresses to see why the traffic is denied.  Also confirm you have logging turned on for your final deny rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Stever 

Here is my setup , 

ASA (internet side) <------------untrust-----> ( PA VWIRE mode) 

 

You said

"If this is true, you would need to look at your outbound internet access policy setup on the PA.  Find the zone assignment for the address pool you assign to users on the ASA.  "

 

for example  i have assigned vpnusers group 1 ip address  ( 10.10.10.100- 10.10.10.200) , 

i would consider these ip addresses are in untrust zone . 

In PA logs  , once the vpn connection established , how the traffic look like.I mean the source  visible to PA is from the address pool or  global IP ? 

 

" Make sure there is an outbound from this zone to untrust policy on the PA. " ?

 

You mean from the ASA 

 

"Make sure there is a NAT policy from this address and zone to untrust on the PA."  ?

 

You mean from the ASA

 

Second thing i was talking about a user sitting inside behind the PA  and connecting usinng vpn to outside comapny x .

I don't have an explicit policy to deny these ipsec traffic  , sometimes users complain that they are not able t connect to company x .i can see palalto tagging this traffic as  ciscovpn . But once they connected ,from palo alto side how the traffic look like ?

from the log how do i know that is it a succesful connection ? 

 

Thanks

 

 

 

 

 

I am confused on what the issue is for inbound VPN.

 

Users connect to the Cisco ASA for SSL VPN and cannot access internet?  

 

Users connect to PA SSL VPN and cannot access Internet?

 

Users connect to PA SSL VPN and cannot access internal resources?

 

to find outbound connections and logs on the PA filter for the source address and destination address of the user and destination vpn in the logs.  These will show if the traffic is permitted or denied.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

Hi,

 

Please clarify the setup a bit more. I am assuming the setup to be as below:

 

Cisco ASA ---------- Internet Cloud ------------ PA Vwire ------- VPN User

       \------------------------------- VPN --------------------------------/

 

1. In this case shall we assume that VPN user is connecting using Cisco VPN client to the Cisco ASA?

 

2. Where is the NAT on the PA side? Is there another Router on the PA side which is natting the private network? For example:

 

Cisco ASA ---------- Internet Cloud ------------ Edge Router ------ PA Vwire ------- VPN User

       \------------------------------------------ VPN ------------------------------------------/

 

3. If this is correct as above, then PA should allow ESP/ UDP-4500 traffic if IPSEC VPN.

 

4. If there is no split tunneling, then, on Cisco ASA, there should be a ACL to allow traffic coming from tunnel and going out to Internet unencrypted. Also you need a source NAT on Cisco ASA for the same.

 

5. To troubleshoot, check traffic logs on PA with source IP as the actual IP on the VPN User (not VPN assigned IP), and destination IP as Cisco ASA. Check for any drops.

 

6. On the Cisco ASA check if it is receiving any traffic via the tunnel, and then check how is the packet getting processed.

 

BR.

  • 4381 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!