Proxy ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Proxy ID

L4 Transporter

How can you tell what proxy ID's need to be configured on a PA that has VPN tunnels to a Cisco ASA 5505?

63 REPLIES 63

L6 Presenter

Hello Infotech,

You need to collect that information from Cisco ASA administrator. You can follow bellow link form more details.

Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA

Regards,

Hardik Shah

L7 Applicator

Hello Infotech,

You have to select the PROXY ID as, Local subnet behind PAN firewall ( where from you are expecting traffic to pass through VPN tunnel) and remote subnet (behind CISCO) FW.

For an example:

PAN local SUbnet: 192.168.1.0/24

Remote subnet:172.16.1.0/24

On the CISCO FW access list, you have to configure just in opposite direction:

PAN local SUbnet: 172.16.1.0/24

Remote subnet:192.168.1.0/24

Hope this helps.

Thanks

L7 Applicator

L7 Applicator

An example:

proxy-ID.JPG

Hope it will help you to understand about proxy ID's.

Thanks

I will check that out

What if the proxy ids on the cisco side are really being used do you still have to add them to the PA?

Yes, you need to configure the PROXY ID's on PAN firewall. Based on the proxy ID's, PAN firewall will create the SPI (keys).

Thanks

I don't understand what you are saying.

For an example:

Result of show vpn flow tunnel-id

tunnel  Parkway_IPSec_Tunnel5:DR_Network

        id:                     139

        type:                   IPSec

        gateway id:             5

        local ip:               66.94.196.107

        peer ip:                66.94.196.108

        inner interface:        tunnel.5

        outer interface:        ethernet1/3

        state:                  inactive

        session:                0

        tunnel mtu:             1428

        lifetime remain:        N/A

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       2716

        local spi:              9C3025F2  >>>>>>>>>>>>>>>>>>>>>>>>>>> based on below mentioned Local/Remote subnet, this SPI keys will generate. If you do not enter any proxy ID's,it will take 0.0.0.0/0 as local and remote and SPI will mismatch with CISCO FW.

        remote spi:             07B3DE31 >>>>>>>>>>>>>>>>>>>>>>>>>>

        key type:               auto key

        protocol:               ESP

        auth algorithm:         NOT ESTABLISHED

        enc  algorithm:         NOT ESTABLISHED

        proxy-id local ip:      10.135.100.0/24  ******************************

        proxy-id remote ip:     10.135.11.0/25 ******************************

        proxy-id protocol:      0

        proxy-id local port:    0

        proxy-id remote port:   0

SPI is just like a KEY, to open and encrypt a packet. IF you check CISCO FW it should have the same SPI keys for this VPN tunnel.

On CISCO FW:

local spi: 07B3DE31   ( remote for PAN)

remote spi: 9C3025F2  ( Local for PAN)

Thanks

Hi Infotech,

PROXY ID is mendatory configuration on ASA, they must have configured it.

Get proxy ID from then and reverse it for PAN Configuration.

Proxy ID on ASA

1.1.1.0/24 to 2.2.2.0/24

Then PAN Proxy ID

2.2.2.0/24 to 1.1.1.0/24

Regards,

Hardik Shah

As hshah mentions the proxy-id are a required configuration on the ASA.  Unfortunately, the Cisco configuration does not call them proxy-id.  Rather the Cisco engineer will know them as the vpn ACL or interesting traffic ACL.

These are simply the subnet on the Cisco side and the subnet on the PA side.  The trick is they must exactly match.

Ask your Cisco partner what his vpn ACL contains.

Sample:

The fist ip address is the ASA side and the second is the PAN side:

access-list PanACL extended permit ip 192.168.1.0 255.255.252.0 192.168.2.0 255.255.0.0

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

They also call it crypto ACL.

So what if the proxy id's on the cisco side aren;t really subnets that are used in order to make both sides match do you still have to add them to the PA side?
Seems like if they did not match the tunnel would not come up at all.

If the PROXY ID did not match on both sides, Phase-1 will come UP but IPSec phase-2 will fail with an error "proxy ID mismatch".

Thanks

  • 15060 Views
  • 63 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!