Palo Alto Networks Knowledgebase: IPSec site-to-site between Palo Alto Networks firewall and Cisco

IPSec site-to-site between Palo Alto Networks firewall and Cisco

33386
Created On 02/07/19 23:55 PM - Last Updated 02/07/19 23:56 PM
VPNs
Resolution

Details

The following diagram illustrates an IPSec site-to-site between a Palo Alto Networks firewall and Cisco:

Topology.jpg

 

Tunnel Interface

Create a tunnel interface and select virtual router and security zone. The security policy needs to allow traffic from the LAN zone to the VPN zone, if placing the tunnel interface in some separate zone other than the internal LAN network zone.

 

The IP address is not required. To run the routing protocol through the tunnel, you must add an IP address to the tunnel interface.

 

Tunnel.jpg

 

Tunnel1.png

 

Tunnel2.png

 

Loopback Interface

For this scenario we are using a Loopback interface to simulate a host in an internal zone for testing purposes, otherwise there is no need for the loopback interface.

 

Looback 1.jpg

 

Looback 2.jpg

 

Looback 3.jpg

 

Phase 1

Create a Phase 1 policy, which will be the same on both sides:

Phase1.jpg

 

Phase 2

Create a Phase 2 policy, which will be the same on both sides:

 

Phase2.png

 

IKE Gateway

The peer IP address must be reachable through the interface Ethernet 1/1, as shown below:

 

IkeGateway1.png

 

IkeGateway2.png

 

IPSec Tunnel

Select the tunnel interface, the IKE gateway, and the IPSec Crypto profile to make sure the Proxy-ID is added, otherwise phase 2 will not come up.

 

IPSectunnel1.png

 

IPSecTunnel2.png

 

Route

Add the route of the internal network of the other side pointing towards the tunnel interface and select None:

 

RouteToInternal.png

Configuring Cisco

 

ip access-list extended Crypto_Acl
permit ip 10.50.50.0 0.0.0.255 16.16.16.0 0.0.0.255

crypto isakmp policy 16
encr aes
hash md5
authentication pre-share
group 5

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp
set peer 10.50.240.55
set transform-set TSET
match address Crypto_Acl

interface FastEthernet0/0
crypto map CMAP

 

owner: pakumar



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ3CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language