PA-500 VPN with Amazon VPC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-500 VPN with Amazon VPC

Not applicable

Hello,

have someone a howto about connecting a PA-500 with the Amazon VPC Service?

It would be nice to take a look on it Smiley Wink

best regards

Dietmar Otto

1 accepted solution

Accepted Solutions

Advertising default route

In the VR go to the

BGP tab ---> Export rules select peer group ---> add prefix 0.0.0.0/0 --->set action allow

then goto

redistribution rules --->add 0.0.0.0/0 and enable.

commit

verify - show routing protocols bgp rib-out

View solution in original post

7 REPLIES 7

L4 Transporter

I did a search for "Amazon VPC" and all I can find is marketing fluff. If this is an IPSEC VPN then we should be able o work. We just need to find out wha the configuration parameters are. If this is some proprietartsoftware application, then you can submit a requestfor a new application withProduct Management.

Steve Krall

I have actually looked at the configuration screens of an Amazon VPC and it was a real puzzler.

It was very non-obvious how you would set up the device to act as an IPSEC VPN end point and the documentation that we had available was not helpful. In my situation the user placed a call with Amazon support for advice on setting up IPSEC VPNs on the Amazon VPC.

-Benjamin

Not applicable

We actually have successfully connected to Amazon VPC with PA-500 device. The configuration is pretty straight foward if you go through the Amazon VPC tutorial.  Once the VPC is setup on the Amazon end, download the generic configuration to extend the VPC to your DataCenter by creating an IPSEC tunnel. The only gotcha is instead of using the proxy-ids within the Phase 2 configuration, you will have to configure BGP and redistribute your default route.

Hope this information helps.

Thx for the answers, i will try it again...with the new infos.

We are trying to do the same thing with a PA-4020.  I have the tunnels up i have BGP established on both peers.  I am receiving the prefix for the subnet that i created when establishing the VPC.  I checked the box to allow the redistribution of the default route.  I have static routes in my core network to get to the PA-4020 for this subnet.  I can trace all the way to the PA-4020 and the CLI confirms that it is allowing my ICMPs to go out the tunnel.  But no pingage. Smiley Sad  Oh yeah and i also configured the security groups and ACLS on the VPC AWS console to allow ICMP in both directions. And the route table on the AWS console shows the VPC subnet as local and the 0.0.0.0/0 route as coming from my customer gateway ID.  Did you have to create any policies on the PA for traffic going over the tunnel?  This seems like it should be so easy - not sure where i went wrong.

Advertising default route

In the VR go to the

BGP tab ---> Export rules select peer group ---> add prefix 0.0.0.0/0 --->set action allow

then goto

redistribution rules --->add 0.0.0.0/0 and enable.

commit

verify - show routing protocols bgp rib-out

@brand - If we are running multiple BGP peering dont u know it will cause issue with other peers ? as it will send default route to them ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
  • 1 accepted solution
  • 6857 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!