06-01-2011 02:39 PM
Hello
I have a bg problem
The need is to create such a configuration: external IPSec tunnel and next GRE tunnel inside the previous one. IPSec tunnel must be created between my PA device and external gateway. GRE tunnel mus be created between my cisco router inside my network and other cisco router behind external gateway. Then there must be allowed traffic from another network to this tunnels and also to my internal LAN network.
So I created IPSec tunnel between my PA and external gateway (it's not PaloAlto device - probably Cisco). To be sure that it works I configured also local and remote proxy ID.
Next I added routing to my virtual router which is:
name_of_routing DESTINATION (network_behind_peer_gateway) INTERFACE (tunnel.id) NEXT HOP TYPE (none) METRIC (1)
commited everything
At this moment I must add that PA firewall is the second in row, looking from the internet side. On the first firewall is static NAT for external IP of PaloAlto device.
I think tunnel is working properly, both phases are ok. Checked system log and statuses of tunnel - both are green.
Now I need to allow traffic between hosts behind gateways (those gre traffic)
I created two rules. At the beggining simple because I wanted to be sure that it works without filtering protocols or applications
Source zone | Destination Zone | Source Address | Destination Address | Application | Service | Action | Options |
|---|---|---|---|---|---|---|---|
| internal_LAN zone | tunnel zone | any | any | any | any | accept | logged |
| tunnel zone | internal_LAN zone | any | any | any | any | accept | logged |
And something is wrong beacause I can't see any traffice between those hosts behind gateways.
I have confirmed proper configuration of both endpoints of gre tunnel
At this moment I can't see any traffic in PalAlto logs besides ipsec logs in system log and traffic from gre tunnel is not working.
I also don't have nay logs with gre protocol.
Can you help me how to solve this problem
I'd be very grateful
Thanks a lot and waiting for any response.
Pawel
06-01-2011 04:01 PM
Hi Pawel,
1) When you are adding a route on PAN you are using the destination address of the GRE peer gateway behind the Cisco IPSec Gw ,correct ?
2) If you are not seeing the traffic in the traffic logs, can you please go to the CLI and do a "show session all filter source-ip destination-ip" and see if the session is there? Please send us the output. Alternatively you can check the same info in the session browser as well inte monitor tab.
3) Can you also try to add a app override policy under the policy tab which would include the source and destination IP address of the routers terminating the GRE tunnel.
4) You can also check the statistics for the VPN flow using the command "show vpn flow tunnel-id <id-num>" to check if there is traffic being send and received on this IPSec VPN tunnel.
Hope this helps, do please let me know if you have any further questions and have any other output which we can check from above.
Thanks
06-01-2011 11:18 PM
Hello
Thanks for response
Today morning we did strange thing. At the end of gre tunnel on our side we change IP address of port to something different and changed again to proper one.
Everything started work immediately.
Strange situation but it appeared that problem wasn't on Palo Alto side :smileylaugh:
So once againg thanks for response
By
Regards
Pawel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
