Home / Cisco Security / Paloalto / IPSEC tunnel between Cisco ASA and Palo-Alto PAN Firewalls

IPSEC tunnel between Cisco ASA and Palo-Alto PAN Firewalls

,
Today I am going to talk about the IPSEC tunnel between the two remote sites. The fact is we are discussing the IPSEC tunnel where one site having Cisco Firewall while other site having Palo-Alto PAN firewall. You can say that it is a kind of VPN tunnel over the internet between two Firewalls from different vendors.

Below is the basic topology showing the IPSEC VPN secure tunnel between the Cisco ASA and Palo-Alto PAN firewall

Fig 1.1- IPSEC VPN Tunnel between Cisco and Palo-Alto Firewalls


Palo-Alto PAN Firewall
First of all you need to create the tunnel interface on the Palo-Alto Firewall. For creating the Palo-Alto PAN firewall interface you need to create the virtual router. On the Palo-Alto GUI, Go to the Network and then select Interface Name. You can put all the default configurations like Virtual router default and Security Zone  Trust.

Now you need to configure or set the IKE Crypto profiles and configure the IPsec phase 1 configurations. Make sure all these parameters should match on the other side where you have Cisco ASA Firewall.

Configure IPSec Phase1 configuration:
Network > Network Profiles > IKE Crypto Profile

Configure IKE Phase-1 Gateway:
Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway

The tunnel configured over will terminate in the Trust zone for traffic negotiating the tunnel, while if more granulated regulator is anticipated for the policy configuration in the tunnel, use a VPN or other zone. Also, note that the gateway configuration below will be configured for the Untrusty interface, not to be puzzled with the tunnel terminating on a trusted interface.

Network > Network Profiles > IPSec Crypto Profile, describe IPSec Crypto profile to agree protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2). These considerations should match on the remote firewall which is a Cisco ASA firewall for the IKE Phase-2 negotiation to be effective.

Configure IPSec Phase2 configuration:
Network > IPSec Tunnel > General, configure IPSec Tunnels to set up the parameters to establish IPSec VPN tunnels between firewalls.

If Cisco ASA is implemented as a policy-based VPN, then you should configure the local proxy ID and remote proxy ID to match the other side.

When implemented an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NAT, the Proxy-ID configuration for the IPSec Tunnel must be implemented with the Post-NAT IP network data, since the Proxy-ID data describes the networks that will be permissible over the tunnel on both sides for the IPSec configuration.

By using “Tunnel Monitor” feature, you can automatically initiate IPSec VPN Tunnel as and when the defined destination IP address becomes reachable.

Now Network > Virtual Routers > Static Route, add a new route for the network that is behind the other VPN endpoint. Create the Security Policy to allow Local Network to communicate with Remote Network over the VPN. Here we are done configuring Palo Alto Firewall, now we can configure the Cisco ASA on the other end to successfully establish the IPSec VPN Tunnel

Cisco ASA Firewall
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address < Put Ip address here towards the WAN side>
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address < Put Ip address here towards the LAN side>
!

The ASA uses Access Control Lists (ACLs) in order to distinguish the traffic that should be safeguarded with IPSec encryption from the traffic that does not need defense. It defends the outbound packets that match a allow Application Control Engine (ACE) and safeguards that the inbound packets that match a permit ACE have protection.

!
object-group network local-network
 network-object <Put IP address defining local IP address>
object-group network remote-network
 network-object <Put IP address defining Remote IP address>
!
access-list asa-router-vpn extended permit ip object-group local-network
 object-group remote-network
!
nat (inside,outside) source static local-network local-network destination
 static remote-network remote-network no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer <Remote site Ip address>
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
!