This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-500 VPN with Amazon VPC

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-500 VPN with Amazon VPC

Go to solution
clinit_owner
Not applicable

‎04-26-2011 06:45 AM

Hello,

have someone a howto about connecting a PA-500 with the Amazon VPC Service?

It would be nice to take a look on it Smiley Wink

best regards

Dietmar Otto

1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
brandonlspencer
L0 Member
In response to edimotta

‎05-11-2011 07:26 PM

Advertising default route

In the VR go to the

BGP tab ---> Export rules select peer group ---> add prefix 0.0.0.0/0 --->set action allow

then goto

redistribution rules --->add 0.0.0.0/0 and enable.

commit

verify - show routing protocols bgp rib-out

View solution in original post

7 REPLIES 7

Go to solution
skrall
L4 Transporter

‎04-27-2011 03:34 PM

I did a search for "Amazon VPC" and all I can find is marketing fluff. If this is an IPSEC VPN then we should be able o work. We just need to find out wha the configuration parameters are. If this is some proprietartsoftware application, then you can submit a requestfor a new application withProduct Management.

Steve Krall

0 Likes Likes

Go to solution
bpappas
L6 Presenter
In response to skrall

‎04-27-2011 04:03 PM

I have actually looked at the configuration screens of an Amazon VPC and it was a real puzzler.

It was very non-obvious how you would set up the device to act as an IPSEC VPN end point and the documentation that we had available was not helpful. In my situation the user placed a call with Amazon support for advice on setting up IPSEC VPNs on the Amazon VPC.

-Benjamin

0 Likes Likes

Go to solution
Arrowsight
Not applicable

‎04-28-2011 08:44 AM

We actually have successfully connected to Amazon VPC with PA-500 device. The configuration is pretty straight foward if you go through the Amazon VPC tutorial.  Once the VPC is setup on the Amazon end, download the generic configuration to extend the VPC to your DataCenter by creating an IPSEC tunnel. The only gotcha is instead of using the proxy-ids within the Phase 2 configuration, you will have to configure BGP and redistribute your default route.

Hope this information helps.

Go to solution
clinit_owner
Not applicable
In response to Arrowsight

‎05-10-2011 03:08 AM

Thx for the answers, i will try it again...with the new infos.

0 Likes Likes

Go to solution
edimotta
Not applicable
In response to Arrowsight

‎05-10-2011 02:07 PM

We are trying to do the same thing with a PA-4020.  I have the tunnels up i have BGP established on both peers.  I am receiving the prefix for the subnet that i created when establishing the VPC.  I checked the box to allow the redistribution of the default route.  I have static routes in my core network to get to the PA-4020 for this subnet.  I can trace all the way to the PA-4020 and the CLI confirms that it is allowing my ICMPs to go out the tunnel.  But no pingage. Smiley Sad  Oh yeah and i also configured the security groups and ACLS on the VPC AWS console to allow ICMP in both directions. And the route table on the AWS console shows the VPC subnet as local and the 0.0.0.0/0 route as coming from my customer gateway ID.  Did you have to create any policies on the PA for traffic going over the tunnel?  This seems like it should be so easy - not sure where i went wrong.

0 Likes Likes

Go to solution
brandonlspencer
L0 Member
In response to edimotta

‎05-11-2011 07:26 PM

Advertising default route

In the VR go to the

BGP tab ---> Export rules select peer group ---> add prefix 0.0.0.0/0 --->set action allow

then goto

redistribution rules --->add 0.0.0.0/0 and enable.

commit

verify - show routing protocols bgp rib-out

Go to solution
fatboy1607
L4 Transporter
In response to brandonlspencer

‎11-07-2019 01:04 AM

@brand - If we are running multiple BGP peering dont u know it will cause issue with other peers ? as it will send default route to them ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
0 Likes Likes
  • 1 accepted solution
  • 6417 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks