How To Do an IPSec VPN Configuration Between PAN Firewall and Cisco ASA
Darshan K. Doshi describes how to configure IPSec VPN between Palo Alto and Cisco ASA. Read more …
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article is a step-by-step guide for configuring an IPSec VPN between a Palo Alto Networks (PAN) firewall and a Cisco ASA, intended for environments where the PAN device has at least two Layer 3 interfaces. It explains creating a tunnel interface, assigning it to a virtual router and zone, and emphasizes zone-to-zone policy considerations as well as matching IKEv1 Phase-1 parameters with the Cisco ASA. The guide highlights the operational impact of ensuring correct interface, routing, and cryptographic profile settings so traffic can flow through the tunnel and align with automation and benchmarking workflows like Indeni Insight.
What initial PAN firewall interface settings are required to create the IPSec tunnel?
You must create a tunnel interface (for example tunnel.1) under Network > Tunnel Interface and assign it to a virtual router (default in the guide) and a zone that corresponds to the Layer 3 internal zone where traffic originates. The PAN firewall must have at least two interfaces in Layer 3 mode. If the tunnel interface resides in a different zone than the traffic source or destination, you need to create a security policy to allow traffic to flow from the source zone to the zone containing the tunnel interface.
How should I handle routing when adding the tunnel interface to the PAN firewall?
Assign the tunnel interface to a virtual router (the guide uses the default virtual router) so the firewall can perform routing for traffic traversing the tunnel. Ensure the virtual router has appropriate routes for the remote networks reachable via the tunnel. If the tunnel interface is placed in a zone different from the traffic source, configure policies to permit traffic between zones; the guide references separate articles for configuring virtual routers and Layer 3 interfaces if additional help is needed.
What must match on the Cisco ASA for IKE Phase-1 to negotiate successfully?
The IKEv1 Phase-1 parameters defined in the PAN firewall’s Network > Network Profiles > IKE Crypto Profile must match the Cisco ASA’s corresponding IKE Phase-1 settings. These cryptographic and negotiation parameters are critical for successful IKE Phase-1 negotiation between the two devices. The guide notes that mismatched IKE Phase-1 parameters will prevent the Phase-1 negotiation from completing, and that the IKE Crypto Profile is configured under the specified Network Profiles section on the PAN firewall.
Step by Step Guide: IPSec VPN Configuration
Between a PAN Firewall and Cisco ASA
To keep your business online and ensure critical devices, such as Check Point firewalls, meet operational excellence standards it is helpful to compare your environment to a third party data set. As part of the Indeni Automation Platform, customers have access to Indeni Insight which benchmarks adoption of the Check Point capabilities and user behavior to adhere to ITIL best practices.
+++
Overview:
This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode. If you find this article helpful check out how you can automate your PAN network with Indeni.
High Level Diagram:
IP schema specification:
Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration
Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:
Name: tunnel.1
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.
Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.
Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
Configure IPSec Phase – 1 configuration
To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.