PA-500 VPN with Amazon VPC

Reply
Highlighted
Not applicable

PA-500 VPN with Amazon VPC

Hello,

have someone a howto about connecting a PA-500 with the Amazon VPC Service?

It would be nice to take a look on it :smileywink:

best regards

Dietmar Otto


Accepted Solutions
Highlighted
L0 Member

Advertising default route

In the VR go to the

BGP tab ---> Export rules select peer group ---> add prefix 0.0.0.0/0 --->set action allow

then goto

redistribution rules --->add 0.0.0.0/0 and enable.

commit

verify - show routing protocols bgp rib-out

View solution in original post


All Replies
Highlighted
L4 Transporter

I did a search for "Amazon VPC" and all I can find is marketing fluff. If this is an IPSEC VPN then we should be able o work. We just need to find out wha the configuration parameters are. If this is some proprietartsoftware application, then you can submit a requestfor a new application withProduct Management.

Steve Krall

Highlighted
L6 Presenter

I have actually looked at the configuration screens of an Amazon VPC and it was a real puzzler.

It was very non-obvious how you would set up the device to act as an IPSEC VPN end point and the documentation that we had available was not helpful. In my situation the user placed a call with Amazon support for advice on setting up IPSEC VPNs on the Amazon VPC.

-Benjamin

Highlighted
Not applicable

We actually have successfully connected to Amazon VPC with PA-500 device. The configuration is pretty straight foward if you go through the Amazon VPC tutorial.  Once the VPC is setup on the Amazon end, download the generic configuration to extend the VPC to your DataCenter by creating an IPSEC tunnel. The only gotcha is instead of using the proxy-ids within the Phase 2 configuration, you will have to configure BGP and redistribute your default route.

Hope this information helps.

Highlighted
Not applicable

Thx for the answers, i will try it again...with the new infos.

Highlighted
Not applicable

We are trying to do the same thing with a PA-4020.  I have the tunnels up i have BGP established on both peers.  I am receiving the prefix for the subnet that i created when establishing the VPC.  I checked the box to allow the redistribution of the default route.  I have static routes in my core network to get to the PA-4020 for this subnet.  I can trace all the way to the PA-4020 and the CLI confirms that it is allowing my ICMPs to go out the tunnel.  But no pingage. :smileysad:  Oh yeah and i also configured the security groups and ACLS on the VPC AWS console to allow ICMP in both directions. And the route table on the AWS console shows the VPC subnet as local and the 0.0.0.0/0 route as coming from my customer gateway ID.  Did you have to create any policies on the PA for traffic going over the tunnel?  This seems like it should be so easy - not sure where i went wrong.

Highlighted
L0 Member

Advertising default route

In the VR go to the

BGP tab ---> Export rules select peer group ---> add prefix 0.0.0.0/0 --->set action allow

then goto

redistribution rules --->add 0.0.0.0/0 and enable.

commit

verify - show routing protocols bgp rib-out

View solution in original post

Highlighted
L4 Transporter

@brand - If we are running multiple BGP peering dont u know it will cause issue with other peers ? as it will send default route to them ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!