Beispiel IPSec-Tunnel Konfiguration-Palo Alto Networks Firewall zu Cisco ASA

Im folgenden ist eine Beispiel-IPSec-Tunnel Konfiguration mit einer Palo Alto Networks Firewall, die mit einer Cisco ASA Firewall verbunden ist.

 

Phase-1-Vorschlag

Cisco ASA:

Crypto ISAKMP Policy 10

Authentifizierung Pre-Anteil

Verschlüsselung 3des

Hash sha

Gruppe 2

Lebenszeit 86400

 

Palo Alto Networks Firewall:

<ike-crypto-profiles></ike-crypto-profiles>

   <entry name="default"></entry>

      <encryption></encryption>

         <member>AES192</member>

         <member>AES256</member>

         <member>AES128</member>

         <member>3des</member>

     

   <hash></hash>

      <member>SHA1</member>

      <member>MD5</member>

  

   <dh-group></dh-group>

      <member>group2</member>

      <member>group1</member>

  

   <lifetime></lifetime>

      <hours>24</hours>

  

  

 

Phase-2-Vorschlag

Cisco ASA:

Crypto IPSec Transform-Set Palo-Alto ESP-AES-256 ESP-SHA-HMAC

Krypto-Karte außerhalb des 20-Satz-Transform-Sets Palo-Alto

 

Palo Alto Networks Firewall:

<ipsec-crypto-profiles></ipsec-crypto-profiles>

   <entry name="default"></entry>

      <esp></esp>

         <encryption></encryption>

            <member>AES256</member>

        

         <authentication></authentication>

            <member>SHA1</member>

        

     

      <dh-group></dh-group>

      <lifetime></lifetime>

         <hours>24</hours>

     

  

<crypto-profiles></crypto-profiles>

 

Gateway

Cisco ASA:

Krypto-Karte außerhalb von 20 Set Peer 10.9.3.8

Tunnel-Gruppe 10.9.3.8 Typ IPSec-l2l

Tunnel-Gruppe 10.9.3.8 IPSec-Attribute

Pre-shared-Key *

ISAKMP KeepAlive Schwelle unendlich

prompte Hostname-Kontext

Cryptochecksum: 2e764f8b78fffa0bef7a212795ec0ebe

 

Palo Alto Networks Firewall:

<gateway></gateway>

   <entry name="XYZ.ASA"></entry>

      <peer-address></peer-address>

         <ip>10.88.12.253</ip>

     

      <local-address></local-address>

         <ip>10.9.3.8/24</ip>

         <interface>Ethernet1/1</interface>

     

      <authentication></authentication>

         <pre-shared-key></pre-shared-key>

            <key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>

        

     

      <protocol></protocol>

         <ikev1></ikev1>

            <exchange-mode>Auto</exchange-mode>

            <ike-crypto-profile>Standard</ike-crypto-profile>

            <dpd></dpd>

               <enable>Ja</enable>

               <interval>10</interval>

               <retry>3</retry>

           

        

     

  

 

Phase 2-Proxy ID/Tunnel

Cisco ASA:

Zugriffsliste ASAtoPAN verlängerte Erlaubnis IP 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0.0

Krypto-Karte außerhalb von 20 Match-Adresse ASAtoPAN

 

Palo Alto Networks Firewall:

<tunnel></tunnel>

   <ipsec></ipsec>

      <entry name="XYZTunnel"></entry>

         <anti-replay>Nein</anti-replay>

         <copy-tos>Nein</copy-tos>

         <tunnel-monitor></tunnel-monitor>

            <enable>Nein</enable>

        

         <tunnel-interface>Tunnel. 1</tunnel-interface>

         <auto-key></auto-key>

            <ike-gateway></ike-gateway>

               <entry name="XYZ.ASA"></entry>

           

            <ipsec-crypto-profile>Standard</ipsec-crypto-profile>

            <proxy-id></proxy-id>

               <local>10.61.0.0/16</local>

               <remote>10.211.168.0/22</remote>

           

         

      

   

 

 

Hinweis: das Protokollfeld unter Proxy-ID sollte auf beiden Seiten übereinstimmen.

 

Besitzer: Panagent