Step by Step Guide: IPSec VPN Configuration
Between a PAN Firewall and Cisco ASA
This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode.
High Level Diagram:
IP schema specification:
Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration
Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.
Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.
Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
Configure IPSec Phase – 1 configuration
To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)