Thank you so much! You helped me clarifying that Policy-based-vpn with Cisco requires a route in routing table in virtual-router rather than 'policy-based-forwarding', kinda deceiving at palo side, but all is well, tunnels up!
Hello Michael! Why you used policy-based configuration (you configured proxy-ids in video on Palo Alto firewall) instead of route-based? I read that Palo Alto recommends to use exactly route-based VPN configuration.
Did you also made the Lab on GNS3. If yes, please can you let me know if we can Download the ASA and palo Alto firewall in GNS3. Also does it cost to get the image file
Yes, I used GNS3. The way I did it for the ASA was to spend the money on Cisco VIRL (which is $200) and import the images it comes with into GNS3. You should be able to get the Palo Alto for free with a trial license.
Thanks a lot this video. I just brought up a VPN tunnel for my company btw Cisco & Palo Alto after watching and using these exact configs.
Thank you so much! You helped me clarifying that Policy-based-vpn with Cisco requires a route in routing table in virtual-router rather than 'policy-based-forwarding', kinda deceiving at palo side, but all is well, tunnels up!
This was incredibly helpful - thank you.
Thank you so much! Post more!!!
Hello Michael! Why you used policy-based configuration (you configured proxy-ids in video on Palo Alto firewall) instead of route-based? I read that Palo Alto recommends to use exactly route-based VPN configuration.
Did you also made the Lab on GNS3. If yes, please can you let me know if we can Download the ASA and palo Alto firewall in GNS3. Also does it cost to get the image file
Yes, I used GNS3. The way I did it for the ASA was to spend the money on Cisco VIRL (which is $200) and import the images it comes with into GNS3. You should be able to get the Palo Alto for free with a trial license.
@@mnaneek thanks for the Info.
could you share the config from ASA?
I just posted it as a comment to this video
Hello Michael. Your website is not working :(
There is no NAT in a LAB, so no nat exempt in this video
In a real world it will break the setup
ASA Configuration
Configure interesting traffic ACL
access-list VPN-PALO-1 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Configure IKEv2 Policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 20
prf sha256
lifetime seconds 28800
Configure IPSec Proposal
crypto ipsec ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
protocol esp encryption aes-256
protocol esp integrity sha-256
Configure Crypto Map
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 match address VPN-PALO-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set peer 3.3.3.3
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set security-association lifetime seconds 28800
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 interface OUTSIDE
Configure Group Policy
group-policy 3.3.3.3 internal
group-policy 3.3.3.3 attributes
vpn-tunnel-protocol ikev2
Configure Tunnel Group
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy 3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key key123
ikev2 local-authentication pre-shared-key key123