- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-28-2016 04:17 AM
Hello Experts
PA side there are two subnets: 10.0.1.0/24, 10.0.2.0/24 and Cisco side there are also three subnets 172.16.1.0/24 , 172.16.2.0/24.
On PA firewall, I defined the proxy-id as below:
proxy-id1: local: 10.0.1.0/24 remote: 172.16.1.0/24
proxy-id2: local: 10.0.1.0/24 remote: 172.16.2.0/24
proxy-id3: local: 10.0.1.0/24 remote: 172.16.1.0/24
proxy-id4: local: 10.0.1.0/24 remote: 172.16.2.0/24
My questions are:
1- On Cisco side, how I will define the ACL. I mean I will define the four ACL or only one ACL with two source and two destination?
2- Everytime, if new subnet is added to pass through tunnel. I need to create proxy-id. There is any scalable method for this?
Regards,
GR
10-28-2016 08:32 PM
Palo does not care about Proxy ID because it uses routing table to decide where to send traffic (route based vpn).
But as to negotiate IPSec configuration needs to match at both sides so Proxy ID in Palo is just to make Cisco happy.
Cisco on the other hand uses policy based vpn and encryption domains there are used to decide if traffic should be routed into tunnel or not.
So yes you have to have all subnets added to Proxy ID to have traffic flowing.
5 subnets at both sides for example means 25 Proxy ID's -> 5x5.
10-29-2016 08:18 AM
Hi Raido
Thanks for your valueable feedback. I heard in IKEV2, there is some concept of superset like on PA if I define 10/8 and remote as 172.16/16. Can we do something like that? or it is something else
11-02-2016 07:53 AM
I have not used IKEV2 so maybe someone who has can help here.
11-05-2016 08:06 AM
Any one here for IKEV2 explaination?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!