I configured a static Site-to-Site IPsec VPN tunnel between the Cisco ASA firewall and the Palo Alto next generation firewall. If the same phase 1 & 2 parameters are used and the correct Proxy IDs are entered, the VPN works without any problems though the ASA uses a policy-based VPN while the PA implements a route-based VPN.
I made a few screenshots from the VPN configuration of both firewalls which I will show here. I am also listing a few more hints corresponding to these two firewalls.
My test laboratory looks like that:
The tested Palo Alto PAN-OS version was 6.0.0, while the Cisco ASA version was 9.1(4).
Note that I am not showing the creation of the phase 1 & 2 parameters since I named them accordingly to their types. I am always using AES-256, SHA-1, DH-5, and a lifetime of 28800 seconds for IKE and 3600 seconds for IPsec. The IPsec protocol is ESP.
Also note that there is no way to establish the VPN tunnel by the firewalls themselves. The Cisco ASA has no option to ping the other side in general, while the Palo Alto tunnel monitor only supports numbered tunnel interfaces. But since the Cisco ASA only works with unnumbered tunnel interfaces, this option on the PA cannot be used as well.
The creation of the route-based VPN involves the following steps: tunnel interface, IKE gateway, IPsec tunnel with proxy IDs, and static route through tunnel interface. The following screenshots show these steps. Note the additional descriptions under each screenshot:
Finally, remember that the Palo Alto needs a permit policy entry on the untrust zone in order to allow incoming/outgoing packets for ike (500) and ipsec-esp. That is, “from untrust to untrust”. Refer to the traffic log and search for deny statements if the VPN does not establish.
The creation of the policy-based Site-to-Site VPN on the ASA contains the following steps: Group Policy and Connection Profile. These two steps will create the complete Crypto Map entry as well, which I will show for the sake of completeness, too:
Monitoring the VPN Sessions
If the VPN creation was successful, the Palo Alto has two sessions in its Session Browser. One for ike and on for ipsec-esp:
Furthermore, the green bubbles on the IPsec Tunnels pane turn into green:
However, I noticed that the connection was *sometimes* recognized as “ciscovpn” and then denied by my cleanup rule. Note that the port “500” is always the same, while the application changes:
Therefore, I modified the untrust-untrust policy to also allow “ciscovpn”. (Which one more time produced these annoying dependency warnings which are not useful in this case!):
On the Cisco ASA, the VPN sessions monitor shows the established VPN with the appropriate parameters: