Step-by-step: Configure a Palo Alto (v5.x) to connect to the Cloud.

book

Article ID: 166943

calendar_today

Updated On:

Products

CDP Integration Server

Issue/Introduction

How do I configure a Palo Alto firewall (v5.x) to send IPsec traffic to the Cloud?

 

 

Resolution

Prerequisites for this guide is that you have an up and working Palo Alto firewall running PAN-OS 5.x

This guide is using PAN-OS v5.x.

 

 

 

GOTO: Network – Interfaces – Tunnel tab

 

Click “add” and create a new Tunnel Interface using your default virtual router. If you have multiple virtual routers, place the tunnel interface in the virtual router where your internet traffic is egressing.

 

 

You will need to set an IP address on the tunnel interface. This address will NOT be used, though, and is a limitation in PAN-OS (where we cannot forward traffic with PBR to an object without an IP address).

 

In this example, the IP address used belongs in the Trust zone, but it doesn’t seem to matter which IP address you use (as long as it’s a /32 masked address).

 

 

 

GOTO: Network – Zones

 

Create a new Zone called Cloud (this zone is used to create the “no NAT” rule later on).

 

Add the Tunnel Interface you created to this zone.

 

 

 

GOTO: Network – Network Profiles – IKE Crypto

 

Click on “add” and create a new IKE Crypto Profile like this:

 

 

 

GOTO: Network – Network Profiles – IPSec Crypto

 

Click on “add” and create a new IPSec Crypto Profile like this: 

 

 

 

GOTO: Network – Network Profiles – IKE Gateway

 

Click on “add” and create a new IKE Gateway like this: 

 

  • Interface is the internet facing interface

 

  • Peer IP Address is the ip address to the Cloud data-center you want to send traffic to, from: 000014776  

 

  • Pre-shared Key (PSK): this value should match the PSK value you've configured in your "Location" in your Customer Portal

 

  • Exchange Mode: set to "main" (Cloud does NOT support "aggressive" mode)

 

  • IKE Crypto Profile: select the IKE Crypto Profile created in the previous step

 

  • Enable NAT Traversal: make sure that NAT-T is DISABLED

 

 

 

GOTO: Network – IPSec Tunnels

 

Click “add” and set up a new IPSec Tunnel like this: 

 

Use the Tunnel Interface, the IKE Gateway, and the IPSec Crypto Profile created previously.

 

 

 

GOTO: The "Proxy IDs" tab in the IPsec Tunnel object

 

Click “add” to add the Local network that will access the Cloud: 

 

*** In a normal site-to-site (non-Cloud) VPN, you would create one ProxyID for *each* subnet or service that would like to access the VPN.  To work with the Cloud service, however, only create one (1) ProxyID.  So make sure that the one (1) ProxyID you are creating covers all subnets you want to send to the Cloud, or create multiple VPN tunnels.

 

At this stage, the VPN tunnel should go up when you commit the changes.

 

Now we need to create the rules.

 

 

 

GOTO: Policies – Security

 

Create a rule that will allow traffic from the zone where your clients reside, to the Cloud zone, that contains BOTH http and https services: 

 

 

 

GOTO: Policies – NAT

 

Create a rule that will disable NAT for traffic sent to the Cloud zone (IPsec traffic to Cloud should NOT be NAT'd): 

 

 

 

GOTO: Policies – Policy Based Forwarding

 

Create a rule that will forward BOTH http and https to your tunnel interface: 

 

 

 

 

When all of this is committed, you should see under Network – IPSec Tunnels that the tunnel is established: 

 

 

 

 

You can also issue the cli command show vpn flow to see that the tunnel is up and active: 

 

 

Attachments