I set up the tunnel in my home lab, not over the live internet, which is why public IPs weren't used for the peers. The loopback was just created as a placeholder for an internal network on one side of the VPN for testing. Thanks for the post, Keith Barker
Hi Keith, could you show me how I can set up IPsec Tunnel between two palo altos using Dynamic IP? I chose dynamic but i cant find any KEYID for my palos
This is a good tutorial and I'll be setting up a site-to-site this week between a PA-3020 and ASA5510. The only part that you don't go over, which i'll have to figure out is the tunnel monitoring for 2 ISP's on each end; since i'll be setting up 4 tunnels for redundancy. In my experiance with PA, you can use whatever addresses to monitor. But with PA to Sonicwalls, you need an isolated network for the monitor so I use a random /30. I wonder how the ASA is going to treat this.
Hi Keith, What about the proxy-id if on the cisco device the default route is to tunnel interface. I mean all traffic from the cisco router should go through the tunnel, even the Internet. Should I put 0.0.0.0/0 as local proxy id in PA firewall
Very nice Video Keith! Is it possible that you could make a video where you configuring an ASA5505 for example to be used as an EasyVPN Client that is connecting to a Palo Alto? We have a lot of them at my work and I had an idea to configuring them to use our two Palo Altos instead of connecting to our two ASA5520 for better speed. Our client-ASAs has random global IP-adresses so we can't use static IPs like you do in this Site-to-Site configuration. A video like that would rule the world!
Hi keith, I want to know that in paloalto part, you have used proxy id only to creat the intresting traffic that we want to encrypt like in cisco we use ACL ? Also when do we use pfs because i haven't any video on that? Thanks.
Hi Keith, I am tying to build an IPSec vpn between our Palo Alto PA5050 with our vendor with Cisco ISR 4300. The IPSec vpn configuration on the Cisco side is using tunnel protection IPSec profile and both configuration seems legit and acl are matching on both side. But for some reason, the palo alto system logs is showing proxy ID not matching and receive local id 0.0.0.0/0 and received remote Id 0.0.0.0/0. So phase 2 will come up but after some few seconds, it goes down. Not sure where is the issue. Can you assist?
Hi Keith would be good if you included the part about creating the 5.5.5.5 interface If seems odd that you never specify public IPs. If your making a tunnel over the internet why are the public IPs at each site used?
With that said, I'm a bit stressed out. My employer is sending me today to build a site to site VPN tunnel (using PAN firewall) for a customer and I'm hoping that it will go as smooth as you made it look here.
Yes, if it is another network that you need to traverse the L2L then it needs to be added on both the PAN (Proxy ID) and ASA (ACL) - ASA is a Route Based VPN whereas PAN is a Policy Based VPN hence why the need for Proxy ID's when terminating an L2L from a PAN to an ASA. For teaching purposes you should have added each step along with Security Policy creation, creation of a new zone for L2L or leverage the existing Trust zone (Pros and Cons) etc. All in all a good entry to PAN L2L's
Nice Lecture. Do u have any video of how to install vm image of palo alto. any good video. there are lot bad videos in youtube. i want easy and good video. Thanks in advance. !!!
