Configure Site to Site IPSec VPN Tunnel between Cisco Router and Paloalto Firewall

176

One end of IPSec tunnel is a Paloalto Firewall with Static Public IP address and the other end is Cisco router with Dynamic IP address and behind an Internet modem. For the purpose of this article, 10.10.10.1 is considered as Static Public IP configured at Paloalto Firewall.

Configure Cisco Router

1.Configure ISAKMP (IKE) – Phase 1

ISAKMP is defined globally, that means if we have different ISKAMP Phase 1 policies configured, when router tries to negotiate SA with remote site, it will send all those ISKAMP policies and use the first one that matches both ends.

By default, ISAKMP lifetime is 86400 seconds.

2.Configure Preshared Key

where 10.10.10.1 is the public IP address of the remote peer and s@1@1@h11 is the preshared key being used when Cisco router is trying to establish VPN connection with Paloalto peer device.

3.Configure IPSEC – Phase 2

where itadminguide-set is a user firendly transform-set name, it can be any preferred name.

4.Configure ACL

IP subnet 192.168.8.0 presents at Cisco Router LAN end and 192.168.0.0 is at Paloalto LAN.

5.Configure Crypto map

Crypto map connects the previously defined ISAKMP and IPSec configuration together

6.Configure Key

7.Apply crypto map to Public Interface or VLAN

8.Create NAT and ACL Policy

Download complete Cisco Router configuration in plain text.  2.8 KB

 

Configure Paloalto Firewall

1.Configure IPSec Phase 1
Go to Network > Network Profiles > IKE Crypto and create IKE Crypto

2. Configure IPSec Phase 2.
Go to Network > Network Profiles > IPSec Crypto and create IPSec Crypto

3. Configure IKE Gateway
Go to Network > Network Profiles > IKE Gateways

Configure Aggressive Mode in IKE Gateway Settings

4. Configure IPSec Tunnel
Go To Network > IPSec Tunnel

 

5. Configure Security Policy
Go to Policies > Security

6. Configure Virtual Router

7. Permit IKE traffic on Outside Interface
Navigate to Policies > Security
Finally, you need to open IKE (port 500) on outside interface for peer IP to establish IPSec Tunnel.

·


Related Articles & Comments

Thank you for visiting us. To continue receiving updates, please Subscribe to our Social Media Channels.

Google+
FACEBOOK
RSS
YOUTUBE
Menu Title
%d bloggers like this: