Proxy ID

I will check that out

What if the proxy ids on the cisco side are really being used do you still have to add them to the PA?

Yes, you need to configure the PROXY ID's on PAN firewall. Based on the proxy ID's, PAN firewall will create the SPI (keys).

Thanks

I don't understand what you are saying.

For an example:

Result of show vpn flow tunnel-id

tunnel  Parkway_IPSec_Tunnel5:DR_Network

        id:                     139

        type:                   IPSec

        gateway id:             5

        local ip:               66.94.196.107

        peer ip:                66.94.196.108

        inner interface:        tunnel.5

        outer interface:        ethernet1/3

        state:                  inactive

        session:                0

        tunnel mtu:             1428

        lifetime remain:        N/A

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       2716

        local spi:              9C3025F2  >>>>>>>>>>>>>>>>>>>>>>>>>>> based on below mentioned Local/Remote subnet, this SPI keys will generate. If you do not enter any proxy ID's,it will take 0.0.0.0/0 as local and remote and SPI will mismatch with CISCO FW.

        remote spi:             07B3DE31 >>>>>>>>>>>>>>>>>>>>>>>>>>

        key type:               auto key

        protocol:               ESP

        auth algorithm:         NOT ESTABLISHED

        enc  algorithm:         NOT ESTABLISHED

        proxy-id local ip:      10.135.100.0/24  ******************************

        proxy-id remote ip:     10.135.11.0/25 ******************************

        proxy-id protocol:      0

        proxy-id local port:    0

        proxy-id remote port:   0

SPI is just like a KEY, to open and encrypt a packet. IF you check CISCO FW it should have the same SPI keys for this VPN tunnel.

On CISCO FW:

local spi: 07B3DE31   ( remote for PAN)

remote spi: 9C3025F2  ( Local for PAN)

Thanks

Hi Infotech,

PROXY ID is mendatory configuration on ASA, they must have configured it.

Get proxy ID from then and reverse it for PAN Configuration.

Proxy ID on ASA

1.1.1.0/24 to 2.2.2.0/24

Then PAN Proxy ID

2.2.2.0/24 to 1.1.1.0/24

Regards,

Hardik Shah

As hshah mentions the proxy-id are a required configuration on the ASA.  Unfortunately, the Cisco configuration does not call them proxy-id.  Rather the Cisco engineer will know them as the vpn ACL or interesting traffic ACL.

These are simply the subnet on the Cisco side and the subnet on the PA side.  The trick is they must exactly match.

Ask your Cisco partner what his vpn ACL contains.

Sample:

The fist ip address is the ASA side and the second is the PAN side:

access-list PanACL extended permit ip 192.168.1.0 255.255.252.0 192.168.2.0 255.255.0.0

They also call it crypto ACL.

So what if the proxy id's on the cisco side aren;t really subnets that are used in order to make both sides match do you still have to add them to the PA side?
Seems like if they did not match the tunnel would not come up at all.

If the PROXY ID did not match on both sides, Phase-1 will come UP but IPSec phase-2 will fail with an error "proxy ID mismatch".

Thanks