Site-to-Site VPN - Palo alto to Cisco Router issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN - Palo alto to Cisco Router issue

L2 Linker

Hi guys,

I'm doing a POC for S2S VPN but i cannot get it to work, I'm sure this is a simple thing i have overlooked, a ping from PC2 to PC1, the ping is encapsulated and encrypted ESP on the way over to PC1, but the return traffic is not..... i have the following topology;

11.png

Now i have set up a site to site VPN from the PA to R2 with the following attributes;

1.png

2.png

3.png

4.png

5.png

6.png

And with a ping from PC2 to PC1, IKE phase 1 and 2 come up.....but the ping fails

7.png

8.png

10.png

9.png

12.png

13.png

And the capture of the ping....outbound ESP, return traffic ICMP...

14.png

Confi on the Cisco router;

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco address 192.168.3.2

!

!

crypto ipsec transform-set Myset esp-aes esp-sha-hmac

!

crypto map Mymap 1 ipsec-isakmp

set peer 192.168.3.2

set transform-set Myset

match address 100

!

!

!

interface FastEthernet0/0

ip address 192.168.3.100 255.255.255.0

duplex auto

speed auto

crypto map Mymap

!

!

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!

Any ideas guys?

10 REPLIES 10

L0 Member

Hi,

This looks like configuration issue. You created static route for "172.16.2.0/24" pointing towards tunnel.1. However, you created tunnel between PA and R2 router. So you need to create static route for 172.16.1.0/24 and next hop as tunnel interface and redistribute this static route into OSPF. Also you need to remove the static route which configured for "172.16.2.0/24".

Regards,

P.Sarath

Agreed, according to the drawing the wrong subnet is pointed at the tunnel.

L0 Member

Also I believe ACL configuration on the Cisco device is not correct. You mentioned same subnet in ACL source and destination.

"access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255"

Regards,

P.Sarath

L2 Linker

So sorry guys, i documented the topo wrong, the two LAN subnets are swapped;

15.png

So the static is correct i believe, 172.16.1.0/24 to tunnel .1

Thank you all so so much for your help thus far, sorry about the bum steer!

regards

So I think your problem is a typo in the ACL configured on the router. Make sure you have it like this:

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255


Thanks,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!