How to configure IPSec VPN Between Cisco ASA and Palo Alto Firewall

In this article, we will configure the IPSec Tunnel between Palo Alto and Cisco ASA Firewall. In this example, I’m using PANOS 8.1.10 on the Palo Alto firewall. Although, the configuration is almost the same in other PANOS versions too. A basic understanding of the IPSec VPN will help you to understand this article. You don’t need an additional license on both devices for this feature. You must have a static routable IP address to configure the IPSec tunnel. So, let’s start the configuration!

Scenario – IPSec Tunnel between Cisco ASA and Palo Alto Firewall

As already discussed, you must need static routable IP on both Palo Alto and Cisco ASA firewalls. In this example, I’m using two routable IP addresses on both Palo Alto and Cisco ASA firewalls, which are reachable from each other. IP 1.1.1.1 is configured on the Cisco ASA firewall and 2.2.2.2 is configured on the Palo Alto Firewall as shown below:

ipsec-tunnel-between-cisco-asa-and-paloalto-firewall

As you noticed, the LAN subnet 192.168.1.0/24 is connected with Cisco ASA and on the other hand, the LAN subnet 192.168.2.0/24 is connected with the Palo Alto Firewall. Before jump into the configuration part, just check the reachability of both devices using the ping utility.

admin@PA-220> ping host 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.177 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.157 ms

Steps to configure IPSec Tunnel on Palo Alto Firewall

First, we will configure the IPSec Tunnel on Palo Alto Firewall. You need to follow the following steps to configure IPSec Tunnel’s Phase 1 and Phase 2 in Palo Alto.

Creating a Security Zone on Palo Alto Firewall

First, we need to create a separate security zone on Palo Alto Firewall. To configure the security zone, you need to go Network >> Zones >> Add. Here, you need to provide the Name of the Security Zone. You can provide any name at your convenience.

ipsec-zone-configuration-on-paloalto

Creating a Tunnel Interface on Palo Alto Firewall

You need to define a separate virtual tunnel interface for IPSec Tunnel. To define the tunnel interface, Go to Network >> Interfaces >> Tunnel. Select the Virtual Router, a default in my case. Also, in the Security Zone field, you need to select the security zone as defined in Step 1. Although, you do not need to provide an IPv4 or IPv6 IP address for this interface. Also, you can attach your Management Profile in Advanced Tab if you need it.

tunnel-interface-in-palo-alto

Defining the IKE Crypto Profile [Phase 1 of IPSec Tunnel]

Now, you need to define Phase 1 of the IPSec Tunnel. You need to go Network >> Network Profiles >> IKE Crypto >> Add. Here, you need to give a friendly name for the IKE Crypto profile. Then, define the DH Group, Encryption, and Authentication Method. By default, Key lifetime is 8 Hours. You can change it as per your requirement.

Recommended:  How to configure Captive Portal in Palo Alto Firewall

ike-crypto-phase1-profile-pa

Defining the IPSec Crypto Profile [Phase 2 of IPSec Tunnel]

Now, you need to define Phase 2 of the IPSec Tunnel. You need to go Network >> Network Profiles >> IPSec Crypto >> Add. Here, you need to give a friendly name for the IPSec Crypto profile. Select the IPsec Protocol as per your requirement. You have ESP (Encapsulation Security Protocol) and AH (Authentication Header) protocol for IPSec. Then, define the DH Group, Encryption, and Authentication Method. By default, Key lifetime is 1 Hour. You can change it as per your requirement.

ipsec-crypto-profile-paloalto

Defining the IKE Gateway Profile

Now, you need to go Network >> Network Profiles >> IKE Gateways >> Add. In General Tab, You need to define the name of the IKE Gateway Profile. In the Interface field, you need to define your Internet-facing Interface, In my case, ethernet 1/1, which has a 2.2.2.2 IP Address. Define the Peer IP Address Type IP. Define the peer address, in my case 1.1.1.1. Select the Authentication Method, i.e. Pre Shared Key or Certificate. In this scenario, I’m using the Pre-shared Key. Define the Pre Shared key next and note down the key because you need it to define in FortiGate Firewall. Define the Local and Peer IP address in the Local Identification and Peer Identification field.

IKE-gateway-in-palo-alto-firewall

Click on Advanced Option, In IKEv1, select IKE Crypto Profile, which defines in Step 3.

ike-gateway-advanced-options

Creating the IPSec Tunnel

We have defined IKE Gateway and IPSec Crypto profile for our IPSec Tunnel. Now, we have to define the IPSec Tunnel. Go to Network >> IPSec Tunnels >> Add. Define the user-friendly name for IPSec Tunnel. Next, select the tunnel interface, which is defined in Step 2. Select the profiles for IKE Gateway and IPSec Crypto Profile, which are defined in Step 3 and Step 5 respectively.

ipsec-tunnel-on-palo-alto-firewall

Go to the Proxy IDs Tab, and define Local and Remote Networks. In this scenario, I’m using 192.168.1.0/24 and 192.168.2.0/24 in LAN Networks.

how-to-configure-proxy-id-on-palo-alto-firewall

Creating the Security Policy for IPSec Tunnel Traffic

Now, you need to create a security profile that allows the traffic from VPN Zone to Trust Zone. You need to Go Policies >> Security >> Add to define a new Policy.

security-rule-to-allow-traffic

Configuring Route for Peer end Private Network

Now, you need to provide a static route for Peer end Private networks. Just go to Network >> Virtual Routers >> Default >> Static Routes >> Add. Select the Name for this Route and define the destination network for this route, i.e. 192.168.1.0/24 in this example. Select the Next Hop to Tunnel Interface which is defined in Step 2.

static-route-configuration-on-palo-alto-firewall

We finished the configuration of the IPSec tunnel in the Palo Alto firewall. Now, we will configure the IPSec tunnel in FortiGate Firewall.

Steps to configure IPSec Tunnel in Cisco ASA Firewall

Now, we will configure the IPSec Tunnel in Cisco ASA Firewall. Here, in this example, I’m using the Cisco ASA  Software version 9.8(1). Although, the configuration of the IPSec tunnel is the same in other versions also.

Recommended:  How to configure GRE Tunnel between Cisco Routers

We need to configure the following steps to configure IPSec on Cisco ASA:

  • Configuring the Phase1 (IKEv1)
  • Defining the Tunnel Group and Pre-Shared Key
  • Configuring the Phase2 (IPSec)
  • Configuring the Extended ACL and Crypto Map

So, let’s start the configuration by configuring Phase1 of Cisco ASA. Access the global configuration mode of Cisco ASA and start with the below commands:

Configuring the Phase1 (IKEv1) on Cisco ASA

ciscoasa(config)# crypto ikev1 enable outside
ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash md5
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 7200

Now, let’s quickly understand the meaning of each command.

  • Encryption: 3des (It is used to encrypt the Phase1 traffic).
  • Hash: md5 ( md5 is a hashing algorithm. It authenticates our data using Hash)
  • Group: 2 (Diffie Hellman Group 2)
  • Authentication: In this example, we are using the pre-shared key as authentication)
  • Lifetime: 7200 (86400 Default lifetime for the Phase1)

In the Cisco ASA, we need to enable the Crypto IKEv1 to the Internet-facing interface. So, we can do this using the below command:

ciscoasa(config)# crypto ikev1 enable outside

Configuring the Tunnel Group and Pre-Shared Key on Cisco ASA

Now, we need to define the tunnel interface and the Pre-Shared Key. In this article, I’m using GNS3Network as a pre-shared key.

ciscoasa(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ciscoasa(config)# tunnel-group 2.2.2.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key GNS3Network

Configuring the IPSec IKEv1 (Phase2)

Here, we need to define the Encryption and Authentication methods for IPSec Phase2.

ciscoasa(config-ikev1-policy)#crypto ipsec ikev1 transform-set ESP-AES-SHA esp-3des esp-md5-hmac
ciscoasa(config)# crypto ipsec security-association lifetime seconds 7200

Now, let’s quickly understand each command.

  • ESP: ESP Stands for Encapsulating Security Payload and it’s an IPSec Protocol
  • 3DES: 3DES is one of the Encryption Algorithm
  • MD5: MD5 is a Hashing algorithm, which is used to maintain the data integrity
  • 7200 Seconds: IPSec Phase2 Key lifetime

Configuring the Crypto MAP and Extended ACL to allows IPSec traffic on Cisco ASA

This is the final step of our configuration. Here, we need to define an Extended ACL to allow the traffic. Also, here we need to configure the Crypto MAP and call the configured crypto map to the External Interface. I am configuring two address objects to simplified the Access Control List (ACL).

Address Object and Extended ACL to allow traffic

ciscoasa(config)#object-group network local-network
ciscoasa(config-network-object-group)#network-object 192.168.1.0 255.255.255.0
ciscoasa(config-network-object-group)#object-group network remote-network
ciscoasa(config-network-object-group)#network-object 192.168.2.0 255.255.255.0
ciscoasa(config-network-object-group)#access-list asa-paloalto-vpn extended permit ip object-group local-network object-group remote-network

Configuring the Crypto MAP

ciscoasa(config)# crypto map outside_map 10 match address asa-paloalto-vpn
ciscoasa(config)# crypto map outside_map 10 set pfs group2
ciscoasa(config)# crypto map outside_map 10 set peer 2.2.2.2
ciscoasa(config)# crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA

Enabling the Crypto MAP on Outside Interface

ciscoasa(config)# crypto map outside_map interface outside

Initiating the IPSec tunnel and verify the traffic using Wireshark

In this step, we just have to initiate the traffic on the IPSec tunnel. If both phases of the IPSec tunnel come up, then your configuration is perfect. So, let’s access the CLI of the Palo Alto Firewall and initiate the IPSec tunnel:

admin@PA-VM>test vpn ipsec-sa
admin@PA-VM>test vpn ipsec-sa

Now, let’s access Device >> IPSec Tunnels and check the status of the IPSec tunnel you just created! If both the phases tunnel is up, it will look like the below image:

Recommended:  How to configure SSL VPN on SonicWall Next-Gen Firewall | NetExtender

palo-alto-ipsec-tunnel-status

Now, let’s initiate the traffic from one of the firewalls. I am initiating the traffic towards the Palo Alto Firewall from Cisco ASA.

ciscoasa# ping inside 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 30/30/30 ms

The first packet is dropped just because of the ARP request and response. No further packet will be dropped.

Optional: If you are tryining to initiate the traffic from Cisco ASA Interface IP [i.e. in this example], you need to allow the management access towards the subnet.

ciscoasa(config)# management-access inside

Troubleshooting the IPSec tunnel – PA & ASA

In this part of this article, we will discuss some basic commands, which help you to troubleshoot the IPSec tunnel which is configured between the Cisco ASA and Cisco router.

Troubleshooting IPSec tunnel on the Cisco ASA Firewall

ciscoasa# show running-config ipsec
ciscoasa# show running-config crypto ikev1
ciscoasa# show running-config crypto map

Troubleshooting IPSec tunnel on Palo Alto Firewall

Let’s access the Monitor >> System and use the filter “( subtype eq vpn )”. Here, you will find all VPN-related logs.

If you getting issue with the IPSec tunnel, you can use the following commands to initiate the IPSec tunnel:

admin@PA-VM>test vpn ipsec-sa
admin@PA-VM>test vpn ipsec-sa

Analyzing the IPSec traffic through the Wireshark

During the configuration of the IPSec tunnel, we defined ESP (Encapsulating Security Payload) as the IPsec protocol, so all the real traffic which goes towards the peer end will be encrypted using this protocol. So, you will only find ESP packets in the packet capture as shown below.

wireshark-captures-of-ipsec-esp-protocol

Related Articles

Reference

Summary

In this article, we configure the IPSec tunnel between the Cisco ASA Firewall and Palo Alto Next-Generation Firewall. We also discussed the Encryption and Authentication algorithms. However, you must need static routable IP addresses to configure the IPSec VPN between two remote networks.

Hope you like this article! Please let us know if you need further help regarding the IPSec tunnel.

4 Comments

  1. i tried the same on GNS3 but phase 1 is up but not phase 2

    ciscoasa(config)# sh crypto isakmp sa

    IKEv1 SAs:

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1 IKE Peer: 192.168.100.30
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE

    There are no IKEv2 SAs
    ciscoasa(config)# sh crypto ipsec sa
    ciscoasa(config)#

Leave a Reply

Your email address will not be published. Required fields are marked *