Palo Alto Networks Knowledgebase: Dynamic IPSec site to site between Cisco ASA and PA firewall (dynamic)
Dynamic IPSec site to site between Cisco ASA and PA firewall (dynamic)
Created On 02/07/19 23:57 PM - Last Updated 02/07/19 23:57 PM
Topology is as follows:
The Palo Alto Networks firewall is getting its IP address from DHCP. We have to configure the IP Sec tunnel between Palo Alto Networks device and Cisco ASA.The only difference on the Palo Alto Networks firewall is in IKE Gateway. The rest are the same as a normal VPN.
Configuration on Cisco ASA.
1. Define Proxy ACL for interesting traffic:
access-list ASA-PA-ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0