IKEv1 Site-to-Site tunnel between Cisco ASA and Palo Alto NGFW — Part 1
A step by step guide in configuring site-to-site tunnel between two firewalls (ASA and Palo Alto).
PART 1 — Configure Cisco ASA
- Setup the ASA’s interfaces and Default route.
ASAv(config)# interface management 0/0
ASAv(config-if)# no shut
ASAv(config-if)# nameif mgmt
ASAv(config-if)# security-level 100
ASAv(config-if)# ip address 192.168.203.10 255.255.255.0
ASAv(config)# interface g0/0
ASAv(config-if)# no shutdown
ASAv(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASAv(config-if)# ip address 192.168.10.1 255.255.255.0
ASAv(config)# interface g0/1
ASAv(config-if)# no shutdown
ASAv(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASAv(config-if)# ip address 172.64.128.100 255.255.255.0
ASAv(config)# route outside 0.0.0.0 0.0.0.0 172.64.128.101
2. Create user account and enable SSH on the management interface.
ASAv(config)# username admin password cisco123
ASAv(config)# aaa authentication ssh console LOCAL
ASAv(config)# crypto key generate rsa modulus 2048
ASAv(config)# ssh version 2
ASAv(config)# ssh 192.168.203.0 255.255.255.0 mgmt
3. Create the Local and Remote address groups.
ASAv(config)# object-group network local-network
ASAv(config-network-object-group)# network-object 192.168.10.0 255.255.255.0
ASAv(config)# object-group network remote-network
ASAv(config-network-object-group)# network-object 10.128.64.0 255.255.255.0
4. Enable the IKEv1 on the outside interface.
ASAv(config)# crypto ikev1 enable outside
5. Create an IKEv1 policy a.k.a Phase 1 policy.
ASAv(config)# crypto ikev1 policy 10
ASAv(config-ikev1-policy)# hash sha
ASAv(config-ikev1-policy)# authentication pre-share
ASAv(config-ikev1-policy)# group 2
ASAv(config-ikev1-policy)# encryption aes
6. Configure the tunnel group.
ASAv(config)# tunnel-group 172.64.128.101 type ipsec-l2l
ASAv(config)# tunnel-group 172.64.128.101 ipsec-attributes
ASAv(config-tunnel-ipsec)# ikev1 pre-shared-key Cisco123
7. Configure IPsec policy a.k.a Phase 2 policy.
ASAv(config)# crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac
8. Create Crypto ACL(Interesting traffic) and Crypto Map
ASAv(config)# access-list CryptoACL permit ip object-group local-network object object-group remote-network
ASAv(config)# crypto map outside_map interface outside
ASAv(config)# crypto map outside_map 10 match address CryptoACL
ASAv(config)# crypto map outside_map 10 set peer 172.64.128.101
ASAv(config)# crypto map outside_map 10 set ikev1 transform-set AES-SHA
ASAv(config)# crypto map outside_map 10 set pfs group2
9. Verification commands:
ASAv# show crypto isakmp sa
ASAv# show crypto ipsec sa peer 172.64.128.101
ASAv# show vpn-sessiondb l2l
