Hi Experts,
Trying to setup Palo Alto VM series in Microsoft Azure ( 3 interface Mgmt ,Trust and Untrust) and only public ip is assigned to Management interface .
In order to create the Site to Site VPN ipsec b/w Cisco ASAv and Pao Alto Fw the only interface available is Mgmt which has public ip but the Palo Alto Gui is not allowing me to use Mgmt interface as local IP or source interface .
And if i try to assign public ip to any other interface of Palo Alto then Azure is giving an error mentioned below.
Just want to understand how we can create site to site ipsec vpn on Palo Alto with single public ip on Mgmt interface , as the same setup is working perfect on ASAv and we can use Mgmt interface as source in ASAv.
I can share the setup if someone wants to take a look.
wanclouds@panvwanclouds> show config running
config {
mgt-config {
users {
admin {
phash *;
permissions {
role-based {
superuser yes;
}
}
}
wanclouds {
phash $1$buaddxeg$F9xAm862FkTC869HKCU1e1;
permissions {
role-based {
superuser yes;
}
}
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/1 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
}
lldp {
enable no;
}
}
}
ethernet1/2 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
lldp {
enable no;
}
ip {
}
}
}
}
tunnel {
units {
tunnel.1 {
comment ipsec-s-s;
}
}
}
}
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ 3des aes-128-cbc];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ 3des aes-128-cbc];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
gateway {
ike-peer-csr {
authentication {
pre-shared-key {
key -AQ==KUGt+eZobgDsoMJzqj4Pf48NH0w=SFAlEHCj9+AttIUAYLgRUA==;
}
}
protocol {
ikev1 {
dpd {
enable yes;
}
}
ikev2 {
dpd {
enable yes;
}
}
}
protocol-common {
nat-traversal {
enable yes;
}
fragmentation {
enable no;
}
}
local-address {
interface ethernet1/1;
ip 10.0.1.4/24;
}
peer-address {
ip 52.34.x.x;
}
local-id {
id 10.0.0.4;
type ipaddr;
}
peer-id {
id 172.31.16.49;
type ipaddr;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
routing-options {
graceful-restart {
enable yes;
}
}
}
}
ecmp {
algorithm {
ip-modulo;
}
}
interface [ ethernet1/1 ethernet1/2 tunnel.1];
routing-table {
ip {
static-route {
CSR-AWS-SYED {
path-monitor {
enable no;
failure-condition any;
hold-time 2;
}
bfd {
profile None;
}
interface tunnel.1;
metric 10;
destination 192.168.2.0/24;
route-table {
unicast;
}
}
}
}
}
}
}
tunnel {
ipsec {
ipsec-tunnel-1 {
auto-key {
ike-gateway {
ike-peer-csr;
}
proxy-id {
local-remote-subnet {
protocol {
any;
}
local 10.0.2.0/24;
remote 192.168.2.0/24;
}
}
}
tunnel-monitor {
enable no;
}
tunnel-interface tunnel.1;
}
}
}
}
deviceconfig {
system {
type {
dhcp-client {
send-hostname yes;
send-client-id no;
accept-dhcp-hostname no;
accept-dhcp-domain no;
}
}
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
ip-address 10.0.0.4;
hostname panvwanclouds;
netmask 255.255.255.0;
default-gateway 10.0.0.1;
dns-setting {
servers {
primary 168.63.129.16;
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
initcfg {
type {
dhcp-client {
send-hostname yes;
send-client-id no;
accept-dhcp-hostname no;
accept-dhcp-domain no;
}
}
ip-address 10.0.0.4;
netmask 255.255.255.0;
default-gateway 10.0.0.1;
dns-primary 168.63.129.16;
username wanclouds;
hostname panvwanclouds;
}
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
untrust {
network {
layer3 [ ethernet1/2 tunnel.1 ethernet1/1];
}
}
trust {
network {
layer3;
}
}
}
service;
service-group;
schedule;
rulebase {
nat {
rules;
}
security {
rules {
ANY {
to any;
from any;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
}
}
import {
network {
interface [ ethernet1/1 ethernet1/2 tunnel.1];
}
}
}
}
}
}
}
wanclouds@panvwanclouds>
Copyright 2007 - 2023 - Palo Alto Networks