VPN tunnel to Cisco ASA via GUI?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN tunnel to Cisco ASA via GUI?

L4 Transporter

I need to setup a VPN tunnel with a Cisco device which we don't control or have any access to.

The intention is that I can allow a group of IP addresses on our LAN to have access to resources on the other side of the tunnel.

These are the settings that I've been given by the people who own/control the other side of the tunnel:

Phase 1

ISAKMP Identification: IP Address

ISKAMP Pre Share Key: <TBC via Phone or Secure Email do not include on this form>

ISKAMP Lifetime: 86400 seconds

ISKAMP Encryption: AES256

ISKAMP Authentication: Pre share key

ISKAMP Hash: SHA

DH Group: 2

NAT-T: Enabled

IKE Negotiation Mode: Main

Phase 2

IPSEC ESP Authentication: SHA

IPSEC ESP Encryption: AES256

IPSEC SA Lifetime Kbytes: 4608000

IPSEC SA Lifetime Hrs: 8

Perfect Forward Secrecy: Yes

Mode: Tunnel

Connection Type: Bidirectional

I'm pretty new to VPN tunnels.  Is there anything I need to know when trying to set this up on the PAN?

My understanding is that ideally I would create a new zone called "CustomerX" and put the tunnel.x interface that I create into that zone so that I have to have a rule to allow any traffic to flow between our "trust" zone and the far side?

Any info would be really appreciated and any questions or things I haven't mentioned, just ask.

Thanks.

10 REPLIES 10

Retired Member
Not applicable

The trick to getting this to work with Cisco is that access list on Cisco would equate to proxy-id settings on PAN device. Basically for each local and remote side subnets that are configured on Cisco, you would need to have an associated proxy-id on PAN in order to complete phase2 negotiation. Below article is an example.

https://live.paloaltonetworks.com/docs/DOC-1328

Otherwise, remember that PAN uses route-based VPNs. So you would also need to set up route to Cisco side subnets with next hop as your associated tunnel interface.

-Richard

Brilliant thanks Richard.  I would be grateful for any specific tips on any options in the PAN GUI that are unusual/specific to getting a tunnel up and running with the settings I listed.

Thanks.

L4 Transporter

Hi,

Your config should be fine.

You can use "test vpn" command to bring up the VPN tunnel for testing, and you can always find reasons why the IPSec tunnel is not up from monitor -> system log

What would these routes look like?  I can ping from the remote side with a cisco pix into my network but I am not able to ping from the paloalto side to the remote network.

Retired Member
Not applicable

Route would basically be same as regular static route, but you only need to specify the interface. No nexthop is needed since tunnel interface is essentially a point-to-point link.

Example:
set network virtual-router default routing-table ip static-route vpn1 destination 10.1.1.0/24 interface tunnel.1

-Richard

Here is what is listed as the route.  If I drop this the pings break from the remote > to local network.  Remote network is 192.168.254.0/24 and the local is 10.0.0.0/8.  I still can't ping from local > remote network.  Below is the Proxy Ids that I think are correct.  Any ideas?  I added several routes to the pix and none helped.

That part's good, and equates to Cisco's "interesting traffic" crypto-map brain-deadness.

Now you need to do the same in your Virtual Router config.  Set up a static route to 192.168 land via interface tunnel.1 (or whatever).  Don't put a next hop IP in, just the interface.  Then you should be all set.

I have that route in and that is were we are getting the route.  I think the problem is the pix 501 version of code.  I was testing our other 501 on our Cisco concentrator andit has the same ping issue.  The ASA on the concentrator does not so I am going to be up a pix with a later version of code like the ASA and see how it behaves.

Hm, the static route and proxy should do it.  Your tunnels do show up as "Up" in the IPSec Tunnels list, right?

As far as I'm concerned, 501s and even 5505s are programmed in PFM.  I've seen them work after a reboot, with no changes, way too much for my taste.  No thanks.

Yes the tunnel is up and working.

I hear you about some of the Pix code.

  • 4747 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!