- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-25-2012 10:40 PM
Hi,
I see there is now support for Cisco Systems VPN Adaper however I am trying to figure out what exactly is supported am I now able to connect to the firewall via cisco IPSEC VPN from the Cisco VPN Client software or is this support for something else?
I ask as we have engineers that connect to many sites and global rotect is not geared this way.
Thanks,
01-26-2012 11:06 AM
I tried looking through the more recent Release Notes, and I was not able to find much on this.
Do you mind me asking where you saw that referenced? I have a partial answer, but want to wait your answer.
Kind Regards,
01-26-2012 12:12 PM
Hi,
In the portal when I click Client Configuration I can add a third party adapter. So was not sure what that was in referance to.
If you have more info on it that would be great. I am still trying to get my head around global protect.
01-26-2012 01:09 PM
We use Cisco VPN Client 5.0 to connect to PA's. The Portal must be configured with the Cisco VPN Adapter being allowed, and the Gateway needs to use tunnel mode with XAuth (Group Name/Secret). Have you attempted connection with these settings?
01-26-2012 01:51 PM
Thanks BCSGROUP,
It is possible that Cisco IPSEC clients with the XAUTH feature could work, but it is not tested or supported at this time for Windows, Linux or Mac-OS.
The other thing that I heard/read was that the routes for the desntination network may not show up, and as long as you are manually adding in the routes, then you might be OK.
01-26-2012 07:30 PM
Thanks for the info.
Any chance I can get some info on how this is done do you just create a portal with these settings or do you have to do the full global protect config?
01-27-2012 05:37 AM
@bcsgroup:
although not officially supported, the Cisco VPN Client does work. It does not append the mask/gateway to your client, but you should still have no issues connecting to devices within your local network.
You must configure the Portal/Gateway under Network>GlobalProtect and use a tunnel interface placed inside the appropriate security zone. Remember to create/use your certificates appropriately and have them configured for use on the Gateway(certificate) and Portal(CA, and certificate).
Under Portal:
Create a profile using your local interface (external) and local IP that you wish to use for VPN connectivity. Choose the standard certificate that is signed by the CA used in your Client Configuration, and choose your authentication methods. Under Client Configuration setup a profile using your external IP/mask for connectivity with Priority 1 and choose your Root CA.
Under Gateway:
Ensure that you have tunnel mode chosen and checked Enable IPSec, check Enable X-Auth Support (verify group name and group password), and check Skip Auth on IKE Rekey.
Choose your external Tunnel Gateway Interface and Address used for the VPN/Portal, and under Client configuration make sure you have your DNS, VPN IP-Pool, and Access Route configured.
under Policies>Security:
Ensure that you have a rule above any blocking statements that allow ipsec, ike, ssl, web-browsing, and ciscovpn applications to your VPN Gateway IP.
Using Cisco VPN Client:
setup the connection profile with the Gateway IP, group name, and group password. Connect and enter your credentials.
If you have any issues, enter the log responses here.
04-19-2012 04:41 AM
Hi,
I also configured PA to work with CISCO VPN Client and it works OK. The only problem is that the connection get expired after one hour and the client must reconnect. I can not find the setting to change this expiration time. Do you have any idea how to chang this life time ?
04-23-2012 03:25 AM
Hi,
I have managed to configure the Cisco VPN client to work along-side our PA firewalls.
Much better client than Global Protect as it behaves like it should and works with corporate proxy settings as expected!
Thanks for the info.
04-23-2012 07:09 AM
lancom,
which PAN-OS version? This bug was fixed in 4.0.8.
33542 – SSL VPN user to IP mappings are being lost after about an hour in an HA configuration when the mappings do not contain information. Issue due to idle timeout and maximum ttl not matching the expiration ttl of the SSL VPN connections.
04-23-2012 08:43 AM
I have PANOS 4.1.2 and this is not the same problem. I configured Gateway with IPSec and X_Auth support. As client I use CISCO VPN client 5 which support only IPSec VPN connections. When I open "More Users Info" window to see active connection a have a LIfetime of connection set to 3660 sec. When I configured gateway I set login lifetime parameter to 24 hours. I also get an System log message that IPSec key has expired. I just do not know where I can change this parameter.
07-25-2012 11:55 PM
Hello lancom,
Did you find a solution to the lifetime timer (3660 sec).
I run into the same issue...
Regards,
Hedi
07-26-2012 12:22 AM
Hi,
I still have an open case on this matter. We find out that it is the same problem with iPad nativ client which is supported by Palo Alto.
So i'm waiting for a response from support team.
10-08-2012 03:57 AM
does your case close and get a workaroud?
could you please share a solution?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!