Configure IKEV1 Site to Site VPN between Cisco ASA and Paloalto Firewall


In this guide, we are configuring IKEV1 VPN between Cisco ASA and Paloalto firewall. This is applicable to all models of Cisco and PA firewalls.

Configure Cisco ASA:

1) Phase 1: IKE policy

ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400

ciscoasa(config)# crypto ikev1 enable outside


2) Phase 2: IPSec proposal

ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

All in One WordPress Hosting
HostGator $2.75 per month
24/7/365 Technical Support, Free Site Building Tools, 4500 Website Templates, Free Shopping Cart Software, Ideal for WordPress, 45 Day Money Back Guarantee
Starts at 30$ per month
All in One WordPress Hosting
High optimized WordPress hosting, secure firewall, HTTPS, Backup, hack-fix guarantee and many others at 30$ per month


3) Network Objects and ACL

ciscoasa(config)# object-group network india_network
ciscoasa(config-network-object)#  network-object

ciscoasa(config)# object-group network singapore_network
ciscoasa(config-network-object)#  network-object

ciscoasa(config)# nat (inside,outside) source static india_network india_network destination static singapore_network singapore_network
ciscoasa(config)# access-list ind_sin_acl extended permit ip object-group india_network object-group singapore_network


4) Cryptomap

ciscoasa(config)# crypto map outside_map 5 match address ind_sin_acl
ciscoasa(config)# crypto map outside_map 5 set peer
ciscoasa(config)# crypto map outside_map 5 set ikev1 transform-set ESP-3DES-MD5

ciscoasa(config)# crypto map outside_map 5 set pfs group2

ciscoasa(config)# crypto map outside_map interface outside


crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000


5) Group Policy and Tunnel Interface

Create a Group policy for ikev1 vpn protocol and assign to tunnel interface.

ciscoasa(config)# group-policy GrpPolicy- internal
ciscoasa(config)# group-policy GrpPolicy- attributes
ciscoasa(config)#  vpn-tunnel-protocol ikev1

ciscoasa(config)# tunnel-group type ipsec-l2l
ciscoasa(config)# tunnel-group ipsec-attributes
ciscoasa(config-tunnel-ipsec)#  ikev1 pre-shared-key cisco
ciscoasa(config)# tunnel-group general-attributes
ciscoasa(config)# default-group-policy GrpPolicy-


Configure Paloalto Firewall:

1) Phase 1: IKE Profile. Navigate to Network > Network Profiles > IKE Crypto

PA considers 86400 seconds lifetime to be too large and doesn’t accept. 86400 seconds is equivalent to 24 hours, hence I specified lifetime as 24 hours in PA firewall.


2) Phase 2: IPSec Profile. Navigate to Network > Network Profiles> IPSec Crypto


3) IPSec Gateway. Navigate to Network > Network Profiles> IKE Gateway

Specify the same pre-shared key used in Cisco firewall, in this example it is cisco


4) Tunnel Interface: Navigate to Network > Interfaces > Tunnel

Considering that you already created a separate zone for IPSec traffic and named as IPSec-tunnel.


5) IPSec Tunnel: Navigate to Network > IPSec Tunnels


6) Security Policy. Navigate to Policies > Security


7) Virtual Router. Navigate to Network > Virtual Routers

To configure route, choose the Virtual Router specified in Step 4, in this example its default virtual router.


8) IKE Outside Interface. Navigate to Policies > Security

Finally, you need to open IKE (port 500) on outside interface for peer IP to establish IPSec Tunnel.