How to Build an IPSec Tunnel Between a Palo Alto Networks Firewall and a Cisco ASA (Adaptive Security Appliance)

Posted by Charles Buege on May 20, 2019 3:51:27 PM

Monday, May 20, 2019

By Charles Buege, Fuel User Group Member 

In this next article of our IPSec Tunnel series, we will cover what it takes to connect a Palo Alto Networks firewall to a Cisco Adaptive Security Appliance (ASA). For me, this became a necessity from nearly day one of having my PA-220 in my home lab, as it was right next to my Cisco ASA. Having services behind each network that I wanted to talk to each other meant that getting the tunnel built between them was a quick necessity.

Before starting to set up any tunnel, a couple of items need to be decided on each end first.  At a minimum, the following items need to be known by both parties for the proper configuration of a tunnel:

  • For Phase 1 of the connectivity, you need to know the DH Group, Authentication, and Encryption. You also need to know the key lifetime for the IKE crypto profile.
  • For Phase 2 of the connectivity, you need to know the Encryption, Authentication, and DH Group number. You also need to know the lifetime for the IPSec crypto profile.
  • You will want a pre-shared key/passphrase that both sides will use for the initial authentication and connection to each other.
  • You will need to know the range (or ranges) of IP addresses on both sides that will need to be able to communicate with each other.

This article is also presuming that you’ve already gone through the process of setting up the Cisco ASA and that it is already fully functional. 

In this example, we will be setting up a connection from a Palo Alto Networks firewall with an external IP address of 1.2.3.4 and the Cisco ASA with an external IP address of 6.7.8.9. These aren’t real IP address. Other than the obfuscation of the actual source and destination IP addresses of the tunnel, everything else is real. 

“Office” Information – Palo Alto firewall –

  • Gateway IP Address: 2.3.4
  • Subnet Range: 241.0.0/16

“Branch” Information – Cisco ASA –

  • Gateway IP Address: 7.8.9
  • Subnet Ranges: 201.0.0/16

Shared Information –

  • IKE Crypto Information:
    • DH Group: 2
    • Authentication: sha1 (Palo Alto Networks)/sha (Cisco)
    • Encryption: 3des
    • Lifetime: 8 Hours
  • IKE Gateway:
    • Shared Key: AbCdEfGhIj123456@!
  • IPSec Crypto Information:
    • DH Group: None – Disable Perfect Forwarding Secrecy
    • Authentication: sha1 (Palo Alto Networks)/sha (Cisco)
    • Encryption: 3des
    • Lifetime: 1 Hour

One thing that you will see right off the bat is that the Authentication, Encryption, and DH Groups are much older than most newer firewalls are capable of. That’s because for my Cisco ASA, I’m dealing with an older box and don’t have the latest code. If your ASA has more recent and secure options available for Authentication, Encryption, and DH Group, use them—just remember to change the values on both the Cisco ASA and the Palo Alto Networks firewall to match. 

With this information, we can now begin the process of building the IPSec tunnel.

Palo Alto Configuration

First, we start by doing the configuration on the Palo Alto firewall for the “Office” side. 

Zone and Interface

“Office” side –
Network -> Zones -> ‘Add’
Name:  Branch_Zone
Type:  Layer3
Click ‘Ok’.

Tunnel001

Network -> Interfaces -> ‘Add’
Interface Name:  tunnel.201
Config tab -
Virtual Router:  10.241 Virtual Router (renamed from ‘default’)
Security Zone:  Branch_Zone
Click ‘Ok’.

Tunnel002 

IKE Crypto

“Office” side –

Network -> Network Profiles -> IKE Crypto -> ‘Add’
Name:  Branch_IKE_Crypto
DH Group:  2
Authentication:  sha1
Encryption:  3des
Key Lifetime:  8 Hours

Tunnel003

 

IKE Gateway 

“Office” side –
Network -> Network Profiles -> IKE Gateway -> ‘Add’
General tab -
Name:  Branch_IKE_Gateway
Version:  IKEv2 only mode
Interface:  ethernet1/1  (the interface associated with the ‘outside’ IP address that will be connecting to the ‘Branch side’)
Local IP Address:  1.2.3.4  (the external IP address associated with this interface that will be connecting to the ‘Branch side’)
Peer IP Address Type:  IP
Peer Address:  6.7.8.9  (the external IP address at the ‘Branch Side’ that will be connected to)
Authentication:  Pre-Shared Key
Pre-shared Key:  AbCdEfGhIj123456@!
Confirm Pre-shared Key:  AbCdEfGhIj123456@!
Local Identification:  IP Address / 1.2.3.4
Peer Identification:  IP Address / 6.7.8.9

Tunnel004

Advanced Options Tab -
IKEv2 -> IKE Crypto Profile:  Branch_IKE_Crypto
Click ‘Ok’

Tunnel005

IPSec Crypto 

“Office” side –
Network -> Network Profiles -> IPSec Crypto -> ‘Add’
Name:  Branch_IPSec_Crypto
Encryption:  3des
Authentication:  sha1
DH Group:  no-pfs
Lifetime:  1 Hour

Tunnel006

IPSec Tunnel

At this point, we have all the components that we need to build the tunnel.  Remember that since the ‘IKE Crypto’ options are assigned at the ‘IKE Gateways’, those options are not available on this screen. 

“Office” side –
Network -> IPSec Tunnels -> Add
Name:  Branch_Tunnel
Tunnel Interface:  tunnel.201
Type:  Auto Key
Address Type:  IPv4
IKE Gateway:  Branch_IKE_Gateway
IPSec Crypto Profile:  Branch_IPSec_Crypto
Click ‘Ok’.

Tunnel007

Static Routes

The next step is to setup the necessary static routes so the traffic will traverse the proper tunnel.

“Office” side –
Network -> Virtual Routers -> 10.241 Virtual Router -> Static Routes -> Add
Name:  Branch-Remote-01
Destination:  10.201.0.0/16
Interface:  tunnel.201
Next Hop:  None

Tunnel008

Security Policy

Once the static routes are in place, you want to set the Security Policy to grant access across the tunnel for the subnets you want to be able to traverse the subnet.

“Office” side –
Policies -> Security -> Add
General tab –
Name:  Office to Branch - Bidirectional

Tunnel009

Source tab –
Source Zone:  Internal – 10.241 and Branch_Zone

Tunnel010

Destination tab –
Destination Zone:  Internal – 10.241 and Branch_Zone

Tunnel011

Click Ok. 

On the ‘Service/URL Category’ tab, change the ‘application-default’ above the word ‘Service’ to ‘any’.  By design, ‘application-default’ is what is selected meaning that if you try to run an application on a non-standard port (like trying to run https on port 8080 instead of 443), the rule will reject the packet.  I’ve seen it enough times where you want to set this rule to ‘any’ because if you’re connecting to a remote site via a dedicated tunnel, then there is a better than average chance that what you will be running remotely may use non-standard ports and you’ll want to access those resources.

Tunnel012

At this time, perform a commit to the firewall to put all of the changes into effect. 

Cisco ASA Configuration 

Next, we go to the Cisco ASA’s configuration steps.

Launch the ASDM client for the Cisco ASA.  Here we get to use one of my favorite things about the Cisco ISDM software – a wizard. This wizard will make your life much easier when it comes to setting up an IPSec tunnel. 

Go to ‘Wizards’ -> ‘IPsec VPN Wizard’. 

In this instance, we will be doing a ‘Site-to-Site’ VPN Tunnel Type.  Keep this option selected as well as the ‘Enable inbound IPsec sessions to bypass interface access lists’ checkbox checked and click ‘Next’.

Wizard001

On this next screen, we will set the IP address of the remote system we will be connecting to and entering the pre-shared key we will use for the connection.  The ‘Tunnel Group Name’ will be automatically set once you enter the ‘Peer IP Address’ and experience has told me that you do not want to try to change the Tunnel Group Name from the Peer’s IP address so leave that alone.  When done, click Next.

Wizard002

Next, we will set the IKE Policy for the ASA. I’m dealing with an older ASA so here are the values as I have available to me:

Encryption:  3DES
Authentication: SHA
Diffe-Hellman Group:  2
When done, click ‘Next’.

Wizard003

Now for the IPsec Rule, we will use the following values:

Encryption:  3DES
Authentication:  SHA

I also read numerous places while I was first setting this up that it is easiest to uncheck the ‘Enable Perfect Forwarding Secrecy (PFS)’ when connecting a Palo Alto Networks firewall to a Cisco ASA, so that’s why I’ve unchecked this box. If you’re able to get it to work with keeping this checked and changing the Palo Alto Networks firewall’s ‘IPSec Crypto’ accordingly, well done!

When done, click ‘Next’.

Wizard004

Next, we will select the subnets that will traverse the tunnel. In our example, we will have the Cisco ASA’s network of 10.201.0.0/16 and the PA-220’s network of 10.241.0.0/16 be the networks that will communicate with each other. 

To the right of ‘Local Networks’, click the ellipsis to open the ‘Browse Local Networks’ box.

Wizard005

As you can see, my Cisco ASA has a number of subnets. In this instance, we only want the network named ‘inside-network’. When you double-click on that option, it gets added to the list of ‘Local Networks’ at the bottom of the screen. If there was more than one subnet we wanted to add, we would keep double-clicking on the subnets to add and they would keep getting appended to the ‘Local Networks’ list at the bottom. Once added, click ‘Ok’.

Wizard006

Now, back at Step 5 of the VPN Wizard, we now need to add the ‘Remote Networks’. Click on the ellipsis to the right of ‘Remote Networks’.

Wizard007

On this screen, we will need to add the subnet for the local system that we want to add. We need to create the subnet that we want to add. From this screen, click ‘Add’ and then ‘Network Object’.

Wizard008

Since the remote network we want to add is 10.241.0.0/16, we will fill in the ‘Add Network Object’ box as in the image below. Once complete, click ‘Ok’.

Wizard009

After we’ve added the Network Object for 10.241.0.0/16, it is automatically highlighted for us. Once we double-click on it, it’ll be added to the ‘Remote Networks’ box at the bottom of the screen. If there was more than one subnet we wanted to add, we would keep double-clicking on the subnets to add and they would keep getting appended to the ‘Remote Networks’ list at the bottom.  When done, click ‘Ok’.

Wizard010

Now you can see that both the local and the remote subnet have been added to the tunnel. Click ‘Next’ and you will be brought to the Summary screen to verify all of your entries to this point.

Wizard011

Here is the summary screen. Read through your options and if everything looks correct, click ‘Finish’.

Wizard012

That’s it! Your IPSec tunnel between your two devices should now be live.

Interested in learning how to build other IPSec tunnels? Check out these blog posts in the series:

 


More to Explore

Check out these Fuel blog posts for further reading:

Topics: Charles Buege, IPSec Tunnel, Adaptive Security Appliance, ASA

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all