"

Chapter 3. Advanced Networking

Site to Site VPN PaloAlto, Cisco and FortiGate

Learning Objectives

  • Create a tunnel in Cisco router
  • Create a tunnel in Palo Alto
  • Connect a tunnel from Cisco router to Palo Alto
  • Connect a FortiGate tunnel to Palo Alto

Scenario:  We are going to do a site-to-site VPN from Cisco to Palo Alto and then expand it between FortiGate and Palo Alto.

 

Figure 3.65: Main Scenario
Table 3.16: Addressing Table
Device Configuration Recommended RAM
Palo Alto Ethernet 1/1: 10.10.10.2/24 – Type: Layer3

Ethernet 1/2: 192.168.10.1/24 – Type: Layer3

Management: 192.168.0.1/24– Type: Layer3

 4096 MB
Router (7200) G1/0: 10.10.10.1/24

G2/0: 192.168.20.1/24

 Default
WebTerm-1 192.168.0.2/24 4096 MB
WebTerm-2 IPV4: 192.168.10.2/24   GW: 192.168.10.1 2048 MB
WebTerm-3 IPV4: 192.168.20.2/24   GW: 192.168.20.1 2048 MB

Zones

Table 3.17: Zones
Zones Interface
VPN Ethernet 1 /1
Trust Ethernet 1 /2

 

Cisco

  1. First, configure the router with the following commands:
ip access-list extended Crypto_Acl
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255


crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 5


crypto isakmp key cisco123 address 10.10.10.2
crypto ipsec transform-set TSET esp-aes esp-sha-hmac



crypto map CMAP 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set TSET
match address Crypto_Acl


interface Gi1/0
crypto map CMAP

ip route 0.0.0.0 0.0.0.0 10.10.10.2

 

Palo Alto

  1. Create a tunnel and assign the tunnel to VPN Zone
Figure 3.66: create a tunnel
Figure 3.66: create a tunnel

2. Create a static route with following information:

Destination Address: 192.168.20.0/24

Interface: tunnel1

Next Hope: none

Figure 3.67: create a static route

 

3. Create a Policy that allows the traffic from Trust Zone to VPN Zone and vice versa.

Figure 3.68: create two policies

4. Create an IKE profile with following information:

Name: IKEProfile

DH Group: Group5

Authentication: md5

Encryption: aes-128-cbc

Figure 3.69: create a IKE Crypto Profile

 

5. Create an IPSEC profile with following information:

Name: IPSECProfile

DH Group: Group2

Authentication: sha1

Encryption: aes-128-cbc

Figure 3.70: create a IPSEC Crypto Profile

 

6. Create an IKE Gateway with following information:

Name: IKE_Gateway

interface: ethernet 1/1

Local IP Address: 10.10.10.2/24

Peer Address: 10.10.10.1

Pre-SharedKey: cisco123

Advanced Options> Exchange mode: main

Advanced Options> IKE Crypto Profile: IKEProfile

 

Figure 3.71: create a IKE Gateway

7. Create an IPSEC tunnel with following information:

Name: IPSEC

Tunnel Interface: tunnel1

IKE Gateway: IKE_Gateway

IPSEC Crypto Profile: IPSECProfile

Proxy ID:   ProxyID: LocalRemote      Local: 192.168.10.0/24    Remote: 192.168.20.0/24

Figure 3.72: create a Proxy ID

 

8. Successful ping from 192.168.10.2 to 192.168.20.2

Figure 3.73: Verify successful ping

9. Check status of your tunnel.

Figure 3.74: Verify tunnel status

FortiGate

  1. Now, add the FortiGate device in the following diagram.
Figure 3.75: Main Senario and adding FortiGate

 

2. Configure a custom VPN Tunnel with following information:

  • Remote Gateway

IP Address: 10.10.10.2

Interface: Port 3

  • Authentication

Method: Pre-shared Key

Pre-shared Key: cisco123

  • Phase 1 Proposal

Encryption: AES128       Authentication: MD5    Group: 5

  • Phase 2 Selectors

Local Address: 192.168.20.0/24    Remote Address: 192.168.10.0/24

Advanced: Encryption: AES128   Authentication: SHA1  Group: 2

Figure 3.76: Remote IP address configuration
Figure 3.77: Pre-shared Key
Figure 3.78: Phase 1 Proposal
Figure 3.79: Local and Remote subnets
Figure 3.80: Phase 2 Proposal

3. Create a Security IPV4 Policy from Tunnel to Port2 and from Port2 to Tunnel and allow all traffic (NAT should be disabled)

Figure 3.81: Create two policies from tunnel to port2 and from port2 to tunnel
Figure 3.82: Create two policies from tunnel to port2 and from port2 to tunnel

 

4. Create a static route with following information:

Destination: 192.168.10.0/24

Interface: Tunnel

Figure 3.83 Create a static route

 

5. Verify your configuration ( FortiGate and Palo Alto)

Figure 3.84 Verify tunnel status

6. You should be able to ping from WebTerm2 to WebTerm3.

Figure 3.85 Verify successful ping

 

Document is generated by Michael Sue

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.