Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Cisco Systems VPN Adapter

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco Systems VPN Adapter

L2 Linker

Hi,

I see there is now support for Cisco Systems VPN Adaper however I am trying to figure out what exactly is supported am I now able to connect to the firewall via cisco IPSEC VPN from the Cisco VPN Client software or is this support for something else?

I ask as we have engineers that connect to many sites and global rotect is not geared this way.

Thanks,

16 REPLIES 16

L7 Applicator

I tried looking through the more recent Release Notes, and I was not able to find much on this.

Do you mind me asking where you saw that referenced? I have a partial answer, but want to wait your answer.

Kind Regards,

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi,

In the portal when I click Client Configuration I can add a third party adapter. So was not sure what that was in referance to.

If you have more info on it that would be great. I am still trying to get my head around global protect.

We use Cisco VPN Client 5.0 to connect to PA's.  The Portal must be configured with the Cisco VPN Adapter being allowed, and the Gateway needs to use tunnel mode with XAuth (Group Name/Secret).  Have you attempted connection with these settings?

Thanks BCSGROUP,

It is possible that Cisco IPSEC clients with the XAUTH feature could work, but it is not tested or supported at this time for Windows, Linux or Mac-OS.

The other thing that I heard/read was that the routes for the desntination network may not show up, and as long as you are manually adding in the routes, then you might be OK.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Thanks for the info.

Any chance I can get some info on how this is done do you just create a portal with these settings or do you have to do the full global protect config?

@bcsgroup:

although not officially supported, the Cisco VPN Client does work.  It does not append the mask/gateway to your client, but you should still have no issues connecting to devices within your local network.

You must configure the Portal/Gateway under Network>GlobalProtect and use a tunnel interface placed inside the appropriate security zone.  Remember to create/use your certificates appropriately and have them configured for use on the Gateway(certificate) and Portal(CA, and certificate). 

Under Portal:

Create a profile using your local interface (external) and local IP that you wish to use for VPN connectivity.  Choose the standard certificate that is signed by the CA used in your Client Configuration, and choose your authentication methods.  Under Client Configuration setup a profile using your external IP/mask for connectivity with Priority 1 and choose your Root CA.

Under Gateway:

Ensure that you have tunnel mode chosen and checked Enable IPSec, check Enable X-Auth Support (verify group name and group password), and check Skip Auth on IKE Rekey.

Choose your external Tunnel Gateway Interface and Address used for the VPN/Portal, and under Client configuration make sure you have your DNS, VPN IP-Pool, and Access Route configured.

under Policies>Security:

Ensure that you have a rule above any blocking statements that allow ipsec, ike, ssl, web-browsing, and ciscovpn applications to your VPN Gateway IP.

Using Cisco VPN Client:

setup the connection profile with the Gateway IP, group name, and group password.  Connect and enter your credentials.

If you have any issues, enter the log responses here.

Hi,

I also configured PA to work with CISCO VPN Client and it works OK.  The only problem is that the connection get expired after one hour and the client must reconnect. I can not find the setting to change this expiration time. Do you have any idea how to chang this life time ?

Hi,

I have managed to configure the Cisco VPN client to work along-side our PA firewalls.

Much better client than Global Protect as it behaves like it should and works with corporate proxy settings as expected!

Thanks for the info.

lancom,

which PAN-OS version? This bug was fixed in 4.0.8.

33542 – SSL VPN user to IP mappings are being lost after about an hour in an HA configuration when the mappings do not contain information. Issue due to idle timeout and maximum ttl not matching the expiration ttl of the SSL VPN connections.

wscmtts,

I have PANOS 4.1.2 and this is not the same problem. I configured Gateway with IPSec and X_Auth support. As client I use CISCO VPN client 5 which support only IPSec VPN connections. When I open "More Users Info" window to see active connection a have a LIfetime of connection set to 3660 sec. When I configured gateway I set login lifetime parameter to 24 hours. I also get an System log message that IPSec key has expired. I just do not know where I can change this parameter.

Hello lancom,

Did you find a solution to the lifetime timer (3660 sec).

I run into the same issue...

Regards,

Hedi

Hi,

I still have an open case on this matter. We find out that it is the same problem with iPad nativ client which is supported by Palo Alto.

So i'm waiting for a response from support team.

Not applicable

Hi Iancom,

If you hear back can you leave a post, as I am having the same issue!

Thanks

does your case close and get a workaroud?

could you please share a solution?

  • 8775 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!