S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

S2S VPN between PA 3020 8.0 to Cisco ASA 9.x code.

L1 Bithead

First thing,

I know there are postings about this out on the web and community about this. The problem I'm having is everything out there is on old ASA code. 

I'm trying to understand the configuration on the PA. I have my tunnel interface configured, IKE Crypto, IPSec Crypto, IKE Gateway, and IPSec Tunnel. I can't get the Phase 1 to come up. I've verified the DH Groups, Authentication, and Encryption setting are the same on both sides. Can someone point me in a direction where they think my problem might be?

Thanks for any help given,

7 REPLIES 7

L6 Presenter

Checking (and posting) logs would be a good start.

Cyber Elite
Cyber Elite

@brian.schroeder,

Did you verify that your proxy-ids are setup correctly. As @santonic stated logs would be the thing that will tell you what's actually happening. 

I'll be pulling those soon.

So that's one of the things I was needing to understand.

Am I creating a PID for every host that has access over the tunnel?

Or does a subnet range work for this?

On the ASA side I have an ACL just allowing a few host to access the tunnel.

@brian.schroeder,

Cisco is policy-based while the Palo Alto is route-based. The Palo Alto is essentially defaulting to 0.0.0.0/0 source and 0.0.0.0/0 destiantion. If they don't match things aren't going to form correctly. You can use a network range as long as that's what the ASA is sending; if they don't match you'll still have an issue. 

 

Here's two good articles about proxy-ids HERE and HERE

Initiate vpn traffic from ASA side and check logs on Palo.

Monitor > System

If you can't identify issue yourself then share logs here.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

ACL for crypo-map on Cisco and Proxy IDs on PA must match for VPN to work. While PA isn't too strict about exact matches, policy based FWs like ASA usually are. 

But check logs first, you will find the answer there. 

 

 

  • 3039 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!