IPSEC tunnel between Cisco ASA and Palo-Alto PAN Firewalls
Today I am
going to talk about the IPSEC tunnel between the two remote sites. The fact is
we are discussing the IPSEC tunnel where one site having Cisco Firewall while
other site having Palo-Alto PAN firewall. You can say that it is a kind of VPN
tunnel over the internet between two Firewalls from different vendors.
Below is the basic topology showing the IPSEC VPN secure tunnel between the Cisco ASA and Palo-Alto PAN firewall
Fig 1.1- IPSEC VPN Tunnel between Cisco and Palo-Alto Firewalls
|
Palo-Alto PAN Firewall
First of
all you need to create the tunnel interface on the Palo-Alto Firewall. For
creating the Palo-Alto PAN firewall interface you need to create the virtual
router. On the Palo-Alto GUI, Go to the Network and then select Interface Name.
You can put all the default configurations like Virtual router default and
Security Zone Trust.
Now you
need to configure or set the IKE Crypto profiles and configure the IPsec phase
1 configurations. Make sure all these parameters should match on the other side
where you have Cisco ASA Firewall.
Configure IPSec Phase1 configuration:
Network
> Network Profiles > IKE Crypto Profile
Configure IKE Phase-1 Gateway:
Network
> Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway
The tunnel
configured over will terminate in the Trust zone for traffic negotiating the
tunnel, while if more granulated regulator is anticipated for the policy
configuration in the tunnel, use a VPN or other zone. Also, note that the
gateway configuration below will be configured for the Untrusty interface, not
to be puzzled with the tunnel terminating on a trusted interface.
Network > Network Profiles > IPSec Crypto
Profile, describe
IPSec Crypto profile to agree protocols and algorithms for identification,
authentication, and encryption in VPN tunnels based on IPSec SA negotiation
(IKEv1 Phase-2). These considerations should match on the remote firewall which
is a Cisco ASA firewall for the IKE Phase-2 negotiation to be effective.
Configure IPSec Phase2 configuration:
Network
> IPSec Tunnel > General, configure IPSec Tunnels to set up the
parameters to establish IPSec VPN tunnels between firewalls.
If Cisco
ASA is implemented as a policy-based VPN, then you should configure the local
proxy ID and remote proxy ID to match the other side.
When implemented
an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks
for traffic that is NAT, the Proxy-ID configuration for the IPSec Tunnel must
be implemented with the Post-NAT IP network data, since the Proxy-ID data describes
the networks that will be permissible over the tunnel on both sides for the
IPSec configuration.
By using
“Tunnel Monitor” feature, you can automatically initiate IPSec VPN Tunnel as
and when the defined destination IP address becomes reachable.
Now Network > Virtual Routers > Static
Route, add a new route for the network that is behind the other VPN
endpoint. Create the Security Policy to allow Local Network to communicate with
Remote Network over the VPN. Here we are done configuring Palo Alto
Firewall, now we can configure the Cisco ASA on the other end to successfully
establish the IPSec VPN Tunnel
Cisco ASA Firewall
!
interface
GigabitEthernet0/0
nameif outside
security-level 0
ip address < Put Ip address here towards
the WAN side>
!
interface
GigabitEthernet0/1
nameif inside
security-level 100
ip address < Put Ip address here towards
the LAN side>
!
The ASA
uses Access Control Lists (ACLs) in order to distinguish the traffic that
should be safeguarded with IPSec encryption from the traffic that does not need
defense. It defends the outbound packets that match a allow Application Control
Engine (ACE) and safeguards that the inbound packets that match a permit ACE
have protection.
!
object-group
network local-network
network-object <Put IP address defining
local IP address>
object-group
network remote-network
network-object <Put IP address defining Remote
IP address>
!
access-list
asa-router-vpn extended permit ip object-group local-network
object-group remote-network
!
nat
(inside,outside) source static local-network local-network destination
static remote-network remote-network
no-proxy-arp route-lookup
!
crypto
ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map
outside_map 10 match address asa-router-vpn
crypto map
outside_map 10 set peer <Remote site Ip address>
crypto map
outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map
outside_map interface outside
!