This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Service Connection and Cisco ASA - problem with establish VPN and BGP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Service Connection and Cisco ASA - problem with establish VPN and BGP

beejrteek
L0 Member

‎08-21-2025 07:47 AM

Hello Team!

I writing this post because I can't find any configuration example which show how to configure S2S VPN between SC and Cisco ASA.

I tried to do it by myself and it looks like working, but can't establish BGP peering.

On ASA side, I configured route base VPN - using interface tunnel.

First little wrinkle with that is ip address for interface tunnel... Prisma doesn't give any ip tunnel address, so I type non-existent IP address like 169.254.10.1 /30

Tunnel is UP, Phase1 - Phase2 also UP

On ASA, on interface tunnel I see some packets like Prisma trying to establish BGP peering with ASA, but no response...

This is funny situation because I additionaly configure Tunnel Monitor on Prisma side, and I see that Prisma pinging my internal host, and also I see on ASA that my host respond to ICMP Request so that why Prisma showing tunnel is UP.

To be honest - I have no idea why return packet back because I don't have ANY ROUTING. So mayby someone knows why it works ? Only my explanation is connection table... because on routing table I don't have any route to Prisma..

 

Also how to configure ASA to properly establish BGP ? 

0 Likes Likes
2 REPLIES 2

reduslewar
L0 Member

‎08-21-2025 08:51 AM

On Prisma side you need to use a policy-based VPN with static routes, not ASA’s tunnel-interface IP, since Prisma doesn’t assign tunnel IPs. That’s why BGP peering won’t come up — Prisma supports BGP only with route-based VPN using IKEv2 and tunnel IPs, which ASA doesn’t provide the same way.

Solution: either

  • Use static routes on both sides (ASA crypto map style), or

  • Move to a vTI setup with real /30 tunnel IPs if you want BGP peering.

Without proper tunnel IPs, BGP cannot establish.

nikoolayy1
L6 Presenter

‎08-24-2025 12:03 PM

@reduslewar  shared great idea as he seems to know Cisco ASA as well. Prisma Access SASE is based on Palo Alto NGFW, so articles for Palo Alto NGFW are sometimes usefull for the SASE as well. I also found Tunnel Monitoring for VPN Between Palo Alto Networks Firewalls ... - Knowledge Base - Palo Alto Netw... as Cisco ASA may need proxy id for phase 2 even if phase 1 is working Tips & Tricks: Why Use a VPN Proxy ID? - Knowledge Base - Palo Alto Networks

0 Likes Likes
  • 426 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks