Simple VPN Configuration Between ASA and PAN Device

Basic CLI configuration setting to bring up the VPN tunnel between ASA and PAN device.

Phase 1 Proposal

ASA:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

PAN:
<ike-crypto-profiles>
<entry name=”default”>
<encryption>
<member>aes192</member>
<member>aes256</member>
<member>aes128</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
<member>md5</member>
</hash>
<dh-group>
<member>group2</member>
<member>group1</member>
</dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ike-crypto-profiles>

P2 Proposal

ASA:
crypto ipsec transform-set palo-alto esp-aes-256 esp-sha-hmac
crypto map outside 20 set transform-set palo-alto

PAN:
<ipsec-crypto-profiles>
<entry name=”default”>
<esp>
<encryption>
<member>aes256</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group></dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
</crypto-profiles>

Gateway:

ASA:
crypto map outside 20 set peer 70.98.39.8
tunnel-group 70.98.39.8 type ipsec-l2l
tunnel-group 70.98.39.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold infinite
prompt hostname context
Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe

PAN:
<gateway>
<entry name=”Loyalty.ASA”>
<peer-address>
<ip>67.88.212.253</ip>
</peer-address>
<local-address>
<ip>70.98.39.8/24</ip>
<interface>ethernet1/1</interface>
</local-address>
<authentication>
<pre-shared-key>
<key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<exchange-mode>auto</exchange-mode>
<ike-crypto-profile>default</ike-crypto-profile>
<dpd>
<enable>yes</enable>
<interval>10</interval>
<retry>3</retry>
</dpd>
</ikev1>
</protocol>
</entry>
</gateway>

P2 – proxy ID/tunnel

ASA:
access-list PDX2CLUBFED extended permit ip 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0.0
crypto map outside 20 match address PDX2CLUBFED

PAN:
<tunnel>
<ipsec>
<entry name=”LoyTunnel”>
<anti-replay>no</anti-replay>
<copy-tos>no</copy-tos>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<auto-key>
<ike-gateway>
<entry name=”Loyalty.ASA”/>
</ike-gateway>
<ipsec-crypto-profile>default</ipsec-crypto-profile>
<proxy-id>
<local>10.61.0.0/16</local>
<remote>10.211.168.0/22</remote>
</proxy-id>
</auto-key>
</entry>
</ipsec>
</tunnel>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s