01-18-2016 03:41 AM
Hi
Internet edge firewall is cisco asa .
Behind Palo alto running in virtual vire mode.
for some reason ipsec users cannot connet to outside .
What we need to be done at palo alto side ?
Thanks
01-18-2016 05:46 AM
Hi Sib,
Do you observe the VPN negotiation failing or only the traffic is not passing through after the VPN comes up ?
Please make sure that Palo alto is passthrough for the IPSEC :
If this does not help, please check what traffic is being dropped by the firewall for the user IPs from the internal network and
the IP they are trying to connect to. You may monitor the application in case strict rules have been used to application
control.
Hope this helps !
01-18-2016 06:23 AM
Hi,
Thanks for the reply ,
In my case what will be the source ip address , i am using cisco client to connect out side .
?
01-23-2016 11:44 PM
@sib2017 If the VPN negotiations itself are failing, then you sould see the request coming from the IP of the PC.
On the PA, you may check if any traffic is denied/dropped between the IP of the PC and the IP corresponding to the destination IP. Packet captures between these IPs would help.
01-24-2016 11:31 AM
Hi,
The tunnel is up and running , after tunnel is up i cannot access anything .
what does it mean
Thanks a lot of your support
01-24-2016 06:17 PM
@sib2017 If we assume that the tunnel is setup fine and only the traffic is failing, you should see
UDP/ESP traffic on the Palo alto. Please check cisco documentation which exact port they use for this traffic.
ESP protocol number is 50, you may filter with this as well.
01-25-2016 03:25 AM
From your description, I think you are saying that the ASA user access tunnels establish correctly.
And that the users are setup without split tunnel so internet access will be from the ASA.
And that users are blocked from internet access after connecting.
If this is true, you would need to look at your outbound internet access policy setup on the PA. Find the zone assignment for the address pool you assign to users on the ASA.
Make sure there is an outbound from this zone to untrust policy on the PA.
Make sure there is a NAT policy from this address and zone to untrust on the PA.
Check the logs on the PA for these source addresses to see why the traffic is denied. Also confirm you have logging turned on for your final deny rules.
01-25-2016 10:12 PM
Hi Stever
Here is my setup ,
ASA (internet side) <------------untrust-----> ( PA VWIRE mode)
You said
"If this is true, you would need to look at your outbound internet access policy setup on the PA. Find the zone assignment for the address pool you assign to users on the ASA. "
for example i have assigned vpnusers group 1 ip address ( 10.10.10.100- 10.10.10.200) ,
i would consider these ip addresses are in untrust zone .
In PA logs , once the vpn connection established , how the traffic look like.I mean the source visible to PA is from the address pool or global IP ?
" Make sure there is an outbound from this zone to untrust policy on the PA. " ?
You mean from the ASA
"Make sure there is a NAT policy from this address and zone to untrust on the PA." ?
You mean from the ASA
Second thing i was talking about a user sitting inside behind the PA and connecting usinng vpn to outside comapny x .
I don't have an explicit policy to deny these ipsec traffic , sometimes users complain that they are not able t connect to company x .i can see palalto tagging this traffic as ciscovpn . But once they connected ,from palo alto side how the traffic look like ?
from the log how do i know that is it a succesful connection ?
Thanks
01-26-2016 03:05 AM
I am confused on what the issue is for inbound VPN.
Users connect to the Cisco ASA for SSL VPN and cannot access internet?
Users connect to PA SSL VPN and cannot access Internet?
Users connect to PA SSL VPN and cannot access internal resources?
to find outbound connections and logs on the PA filter for the source address and destination address of the user and destination vpn in the logs. These will show if the traffic is permitted or denied.
01-26-2016 06:27 PM
Hi,
Please clarify the setup a bit more. I am assuming the setup to be as below:
Cisco ASA ---------- Internet Cloud ------------ PA Vwire ------- VPN User
\------------------------------- VPN --------------------------------/
1. In this case shall we assume that VPN user is connecting using Cisco VPN client to the Cisco ASA?
2. Where is the NAT on the PA side? Is there another Router on the PA side which is natting the private network? For example:
Cisco ASA ---------- Internet Cloud ------------ Edge Router ------ PA Vwire ------- VPN User
\------------------------------------------ VPN ------------------------------------------/
3. If this is correct as above, then PA should allow ESP/ UDP-4500 traffic if IPSEC VPN.
4. If there is no split tunneling, then, on Cisco ASA, there should be a ACL to allow traffic coming from tunnel and going out to Internet unencrypted. Also you need a source NAT on Cisco ASA for the same.
5. To troubleshoot, check traffic logs on PA with source IP as the actual IP on the VPN User (not VPN assigned IP), and destination IP as Cisco ASA. Check for any drops.
6. On the Cisco ASA check if it is receiving any traffic via the tunnel, and then check how is the packet getting processed.
BR.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
