For details on cookie usage on our site, read our Privacy Policy
site to site vpn using a PA inside Azure
- LIVEcommunity
- Discussions
- Network Security
- VM-Series in the Public Cloud
- site to site vpn using a PA inside Azure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
site to site vpn using a PA inside Azure
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-04-2021 08:19 PM
I'm trying to get an ipsec vpn working with a Palo gateway instance inside of Azure. Because Azure handles the public IP, and the Palo has no awareness of it, i expect NAT traversal will factor heavily. Has anyone got such a topology working?
An old thread on this subject suggests that this is not the recommended approach - that Azure native vpn should be used instead. Heres a post from that discussion:
In our reference architecture and companion deployment guide, we do not typically recommend terminating the VPNs on the Virtual Appliance running in Azure. This is b/c you will need to use SNAT to enforce return path routing through the proper firewall to prevent asymmetric routing as we cannot extend BGP from the firewalls to the Azure Route Table. Instead, you may consider terminating the VPN on the Azure VPN Gateway and use our backhaul routing design to force all traffic to and from the Gateway subnet through the firewall utilizing UDRs and the Load Balancer.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-10-2021 02:46 PM
Hello,
If you have a static IP on the Azure external IP side. You should be able to get this going. Just remember on the Azure PAN on the IKE gateway setting, make sure to use the Local IP Address of the untrust interface in the local IP address. Then on the other PAN in the IKE gateway setting, make sure to add the Peer Identification IP address of the Azure PAN.
Hope that makes sense.
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
- Demystifying the SSL Decryption on Palo Alto Firewall in Next-Generation Firewall Discussions
- Setting up GlobalProtect Gateway in Azure VM-Series in GlobalProtect Discussions
- Global Protect and Azure SAML in GlobalProtect Discussions
- Certificates on Palo alto - Types to be installed in VM-Series in the Public Cloud
- Migrate VM series License to Software NGFW Credit based in VM-Series in the Public Cloud
