Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

My Setup

This is my setup for this tutorial: (Yes, public IPv4 addresses behind the Palo.)

I am using a Palo Alto Networks PA-220 with PAN-OS 10.0.2 and a Cisco ASA 5515 with version 9.12(3)12 and ASDM 7.14(1). These are the VPN parameters:

  • Route-based VPN, that is: numbered tunnel interface and real route entries for the network(s) to the other side. But no proxy-IDs aka traffic selection aka crypto map. Thank goodness for that.
  • IKEv2 (no distinction anymore between main or aggressive mode as with IKEv1)
  • PSK: 30 chars alphanumeric, generated with a password generator! (ref)
  • IKE crypto/policies:
    • Diffie-Hellman group 20
    • AES-256-CBC (because Palo has no -GCM here, don’t know why)
    • SHA-512 (you could use SHA-256 if you like)
    • 8 hours
  • IPsec crypto/proposals/transform sets:
    • AES-256-GCM (here it is GCM)
    • SHA-512 (again, you can use SHA-256 as well)
    • Diffie-Hellman group 20
    • 1 hour
  • Tunnel monitor on the Palo to ping the tunnel interface of the ASA constantly – this keeps the tunnel up and running.
  • Since there is the “intrazone-default allow” policy on the Palo, you don’t need an explicit policy for allowing the VPN connection from “untrust to untrust”. If you have an own explicit deny any policy at the end of your policy set, you need an explicit allow policy for “ike” and “ipsec-esp”.
  • No NAT between the internal networks (of course not ;))!

Palo Alto NGFW

Everything is done via the GUI:

Cisco ASA

You can do the configuration either via the ASDM “GUI”:

or through CLI commands (of course you have to change the IPv4 addresses, the PSK, the number of the VTI or the crypto ikev2 policy, etc.) Furthermore, the ACL is not listed:

 

Monitoring

On the Palo you can see these information in the GUI:

Or you can use some of these CLI commands show vpn { ike-sa | ipsec-sa | gateway | tunnel | flow } :

 

On the ASA these are the GUI information. Note the proxy-IDs aka “Local Addr. / Subnet Mask / Protocol / Port” which is “0.0.0.0/0.0.0.0/0/0” which is absolutely correct, due to the usage of a route-based VPN. Nice!

And here are some CLI commands as well. Note that you have a valid static route to the other side, which is great!

PS: Sorry for being legacy IP only this time. ;(

Photo by Mathew Schwartz on Unsplash.

7 thoughts on “Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

  1. Please let me know if you have configuration for GRE over IPSEC between Palo alto firewall and cisco firewall.

    On cisco firewall, it is easy to configure. Not finding the relevant document on palo alto firewall.

    1. Hey. Sorry, but I haven’t done this so far. However, please have a look a the IPsec tunnel configuration at the Palo. There is an “Add GRE Encapsulation” checkmark. Have you played around with it?

      Anyway, do you *really* need it that way? Why aren’t you using IPsec without GRE on the Cisco side?

      Cheers
      Johannes

  2. Do you have a config for a ISR cisco router instead of ASA or will the config apply directly to the cisco router?

      1. I am currently using your route based VPN and it’s working great without the overhead of GRE but I am looking for Ikev2 implementation or a way to get around the issue of a spoke router obtaining a different DHCP address (peer address field in Palo changing) and breaking the tunnel. Your tutorials are great!

Leave a Reply to John Cancel reply

Your email address will not be published. Required fields are marked *