{"id":1228,"date":"2026-01-23T16:06:30","date_gmt":"2026-01-23T21:06:30","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=1228"},"modified":"2026-02-19T15:36:20","modified_gmt":"2026-02-19T20:36:20","slug":"site-to-site-vpn-cisco-palo-alto","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/site-to-site-vpn-cisco-palo-alto\/","title":{"raw":"3.4 Site to Site VPN PaloAlto, Cisco and FortiGate","rendered":"3.4 Site to Site VPN PaloAlto, Cisco and FortiGate"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Create a tunnel in Cisco router<\/li>\r\n \t
  • Create a tunnel in Palo Alto<\/li>\r\n \t
  • Connect a tunnel from Cisco router to Palo Alto<\/li>\r\n \t
  • Connect a FortiGate tunnel to Palo Alto<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    \r\n\r\nScenario<\/strong>:\u00a0 We are going to do a site-to-site VPN from Cisco to Palo Alto and then expand it between FortiGate and Palo Alto.\r\n\r\n<\/div>\r\n \r\n\r\n[caption id=\"attachment_1232\" align=\"aligncenter\" width=\"790\"]\"\" Figure 3.65: Main Scenario[\/caption]\r\n\r\n
    \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
    Table 3.16: Addressing Table<\/caption>\r\n
    Device<\/strong><\/td>\r\nConfiguration<\/strong><\/td>\r\n<\/tr>\r\n
    Palo Alto<\/td>\r\nEthernet 1\/1: 10.10.10.2\/24 \u2013 Type: Layer3\r\n\r\nEthernet 1\/2: 192.168.10.1\/24 \u2013 Type: Layer3\r\n\r\nManagement: 192.168.0.1\/24\u2013 Type: Layer3<\/td>\r\n<\/tr>\r\n
    Router (7200)<\/td>\r\nG1\/0: 10.10.10.1\/24\r\n\r\nG2\/0: 192.168.20.1\/24<\/td>\r\n<\/tr>\r\n
    WebTerm-1<\/td>\r\n192.168.0.2\/24<\/td>\r\n<\/tr>\r\n
    WebTerm-2<\/td>\r\nIPV4: 192.168.10.2\/24 \u00a0 GW: 192.168.10.1<\/td>\r\n<\/tr>\r\n
    WebTerm-3<\/td>\r\nIPV4: 192.168.20.2\/24 \u00a0 GW: 192.168.20.1<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n

    Zones<\/h2>\r\n
    \r\n\r\n\r\n\r\n\r\n
    Table 3.17: Zones<\/caption>\r\n
    Zones<\/strong><\/td>\r\nInterface<\/strong><\/td>\r\n<\/tr>\r\n
    VPN<\/td>\r\nEthernet 1 \/1<\/td>\r\n<\/tr>\r\n
    Trust<\/td>\r\nEthernet 1 \/2<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n \r\n

    Cisco<\/strong><\/h2>\r\n
      \r\n \t
    1. First, configure the router with the following commands:<\/li>\r\n<\/ol>\r\n
      \r\n
      ip access-list extended Crypto_Acl\r\npermit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255\r\n\r\n\r\ncrypto isakmp policy 1\r\nencr aes\r\nhash md5\r\nauthentication pre-share\r\ngroup 5\r\n\r\n\r\ncrypto isakmp key cisco123 address 10.10.10.2\r\ncrypto ipsec transform-set TSET esp-aes esp-sha-hmac\r\n\r\n\r\n\r\ncrypto map CMAP 10 ipsec-isakmp\r\nset peer 10.10.10.2\r\nset transform-set TSET\r\nmatch address Crypto_Acl\r\n\r\n\r\ninterface Gi1\/0\r\ncrypto map CMAP\r\n\r\nip route 0.0.0.0 0.0.0.0 10.10.10.2<\/pre>\r\n \r\n\r\n<\/div>\r\n
      Palo Alto<\/h2>\r\n
        \r\n \t
      1. Create a tunnel and assign the tunnel to VPN Zone<\/li>\r\n<\/ol>\r\n[caption id=\"attachment_1266\" align=\"aligncenter\" width=\"1026\"]\"Figure Figure 3.66: create a tunnel[\/caption]\r\n\r\n2. Create a static route with following information:\r\n
        \r\n\r\nDestination Address: 192.168.20.0\/24\r\n\r\nInterface: tunnel1\r\n\r\nNext Hope: none\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_1269\" align=\"aligncenter\" width=\"1023\"]\"\" Figure 3.67: create a static route[\/caption]\r\n\r\n \r\n\r\n3. Create a Policy that allows the traffic from Trust Zone to VPN Zone and vice versa.\r\n\r\n[caption id=\"attachment_1270\" align=\"aligncenter\" width=\"1031\"]\"\" Figure 3.68: create two policies[\/caption]\r\n\r\n4. Create an IKE profile with following information:\r\n
        \r\n\r\nName: IKEProfile\r\n\r\nDH Group: Group5\r\n\r\nAuthentication: md5\r\n\r\nEncryption: aes-128-cbc\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_1271\" align=\"aligncenter\" width=\"1027\"]\"\" Figure 3.69: create a IKE Crypto Profile[\/caption]\r\n\r\n \r\n\r\n5. Create an IPSEC profile with following information:\r\n
        \r\n\r\nName: IPSECProfile\r\n\r\nDH Group: Group2\r\n\r\nAuthentication: sha1\r\n\r\nEncryption: aes-128-cbc\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_1272\" align=\"aligncenter\" width=\"1024\"]\"\" Figure 3.70: create a IPSEC Crypto Profile[\/caption]\r\n\r\n \r\n\r\n6. Create an IKE Gateway with following information:\r\n
        \r\n\r\nName: IKE_Gateway\r\n\r\ninterface: ethernet 1\/1\r\n\r\nLocal IP Address: 10.10.10.2\/24\r\n\r\nPeer Address: 10.10.10.1\r\n\r\nPre-SharedKey: cisco123\r\n\r\nAdvanced Options> Exchange mode: main\r\n\r\nAdvanced Options> IKE Crypto Profile: IKEProfile\r\n\r\n<\/div>\r\n \r\n\r\n[caption id=\"attachment_1273\" align=\"aligncenter\" width=\"628\"]\"\" Figure 3.71: create a IKE Gateway[\/caption]\r\n\r\n7. Create an IPSEC tunnel with following information:\r\n
        \r\n\r\nName: IPSEC\r\n\r\nTunnel Interface: tunnel1\r\n\r\nIKE Gateway: IKE_Gateway\r\n\r\nIPSEC Crypto Profile: IPSECProfile\r\n\r\nProxy ID: \u00a0 ProxyID: LocalRemote\u00a0 \u00a0 \u00a0 Local: 192.168.10.0\/24\u00a0 \u00a0 Remote: 192.168.20.0\/24\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_1274\" align=\"aligncenter\" width=\"1026\"]\"\" Figure 3.72: create a Proxy ID[\/caption]\r\n\r\n \r\n\r\n8. Successful ping from 192.168.10.2 to 192.168.20.2\r\n\r\n[caption id=\"attachment_1275\" align=\"aligncenter\" width=\"679\"]\"\" Figure 3.73: Verify successful ping[\/caption]\r\n\r\n9. Check status of your tunnel.\r\n\r\n[caption id=\"attachment_1276\" align=\"aligncenter\" width=\"1023\"]\"\" Figure 3.74: Verify tunnel status[\/caption]\r\n
        FortiGate<\/h2>\r\n
          \r\n \t
        1. Now, add the FortiGate device in the following diagram.<\/li>\r\n<\/ol>\r\n[caption id=\"attachment_1237\" align=\"aligncenter\" width=\"796\"]\"\" Figure 3.75: Main Senario and adding FortiGate[\/caption]\r\n\r\n \r\n\r\n2. Configure a custom VPN Tunnel with following information:\r\n
          \r\n
            \r\n \t
          • Remote Gateway<\/li>\r\n<\/ul>\r\n
            IP Address: 10.10.10.2<\/p>\r\n
            Interface: Port 3<\/p>\r\n\r\n
              \r\n \t
            • Authentication<\/li>\r\n<\/ul>\r\n
              Method: Pre-shared Key<\/p>\r\n
              Pre-shared Key: cisco123<\/p>\r\n\r\n
                \r\n \t
              • Phase 1 Proposal<\/li>\r\n<\/ul>\r\n
                Encryption: AES128 \u00a0 \u00a0 \u00a0 Authentication: MD5\u00a0 \u00a0 Group: 5<\/p>\r\n\r\n
                  \r\n \t
                • Phase 2 Selectors<\/li>\r\n<\/ul>\r\n
                  Local Address: 192.168.20.0\/24\u00a0 \u00a0 Remote Address: 192.168.10.0\/24<\/p>\r\n
                  Advanced: Encryption: AES128 \u00a0 Authentication: SHA1\u00a0 Group: 2<\/p>\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_1286\" align=\"aligncenter\" width=\"1024\"]\"\" Figure 3.76: Remote IP address configuration[\/caption]\r\n\r\n[caption id=\"attachment_1287\" align=\"aligncenter\" width=\"1028\"]\"\" Figure 3.77: Pre-shared Key[\/caption]\r\n\r\n[caption id=\"attachment_1293\" align=\"aligncenter\" width=\"1021\"]\"\" Figure 3.78: Phase 1 Proposal[\/caption]\r\n\r\n[caption id=\"attachment_1289\" align=\"aligncenter\" width=\"1023\"]\"\" Figure 3.79: Local and Remote subnets[\/caption]\r\n\r\n[caption id=\"attachment_1292\" align=\"aligncenter\" width=\"1027\"]\"\" Figure 3.80: Phase 2 Proposal[\/caption]\r\n\r\n3. Create a Security IPV4 Policy from Tunnel to Port2 and from Port2 to Tunnel and allow all traffic (NAT should be disabled)\r\n\r\n[caption id=\"attachment_1280\" align=\"aligncenter\" width=\"1019\"]\"\" Figure 3.81: Create two policies from tunnel to port2 and from port2 to tunnel[\/caption]\r\n\r\n[caption id=\"attachment_1281\" align=\"aligncenter\" width=\"1026\"]\"\" Figure 3.82: Create two policies from tunnel to port2 and from port2 to tunnel[\/caption]\r\n\r\n \r\n\r\n4. Create a static route with following information:\r\n
                  \r\n\r\nDestination: 192.168.10.0\/24\r\n\r\nInterface: Tunnel\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_1282\" align=\"aligncenter\" width=\"1027\"]\"\" Figure 3.83 Create a static route[\/caption]\r\n\r\n \r\n\r\n5. Verify your configuration ( FortiGate and Palo Alto)\r\n\r\n[caption id=\"attachment_1284\" align=\"aligncenter\" width=\"1029\"]\"\" Figure 3.84 Verify tunnel status[\/caption]\r\n\r\n6. You should be able to ping from WebTerm2 to WebTerm3.\r\n\r\n[caption id=\"attachment_1283\" align=\"aligncenter\" width=\"1026\"]\"\" Figure 3.85 Verify successful ping[\/caption]\r\n\r\n \r\n\r\nDocument is generated by Michael Sue<\/strong>","rendered":"
                  \n
                  \n
                  Learning Objectives<\/p>\n<\/header>\n
                  \n
                    \n
                  • Create a tunnel in Cisco router<\/li>\n
                  • Create a tunnel in Palo Alto<\/li>\n
                  • Connect a tunnel from Cisco router to Palo Alto<\/li>\n
                  • Connect a FortiGate tunnel to Palo Alto<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
                    \n
                    Scenario<\/strong>:\u00a0 We are going to do a site-to-site VPN from Cisco to Palo Alto and then expand it between FortiGate and Palo Alto.<\/p>\n<\/div>\n
                     <\/p>\n
                    \"\"
                    Figure 3.65: Main Scenario<\/figcaption><\/figure>\n
                    \n\n\n\n\n\n\n\n\n
                    Table 3.16: Addressing Table<\/caption>\n
                    Device<\/strong><\/td>\nConfiguration<\/strong><\/td>\n<\/tr>\n
                    Palo Alto<\/td>\nEthernet 1\/1: 10.10.10.2\/24 \u2013 Type: Layer3<\/p>\n
                    Ethernet 1\/2: 192.168.10.1\/24 \u2013 Type: Layer3<\/p>\n
                    Management: 192.168.0.1\/24\u2013 Type: Layer3<\/td>\n<\/tr>\n
                    Router (7200)<\/td>\nG1\/0: 10.10.10.1\/24<\/p>\n
                    G2\/0: 192.168.20.1\/24<\/td>\n<\/tr>\n
                    WebTerm-1<\/td>\n192.168.0.2\/24<\/td>\n<\/tr>\n
                    WebTerm-2<\/td>\nIPV4: 192.168.10.2\/24 \u00a0 GW: 192.168.10.1<\/td>\n<\/tr>\n
                    WebTerm-3<\/td>\nIPV4: 192.168.20.2\/24 \u00a0 GW: 192.168.20.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
                    Zones<\/h2>\n
                    \n\n\n\n\n\n
                    Table 3.17: Zones<\/caption>\n
                    Zones<\/strong><\/td>\nInterface<\/strong><\/td>\n<\/tr>\n
                    VPN<\/td>\nEthernet 1 \/1<\/td>\n<\/tr>\n
                    Trust<\/td>\nEthernet 1 \/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
                     <\/p>\n
                    Cisco<\/strong><\/h2>\n
                      \n
                    1. First, configure the router with the following commands:<\/li>\n<\/ol>\n
                      \n
                      ip access-list extended Crypto_Acl\r\npermit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255\r\n\r\n\r\ncrypto isakmp policy 1\r\nencr aes\r\nhash md5\r\nauthentication pre-share\r\ngroup 5\r\n\r\n\r\ncrypto isakmp key cisco123 address 10.10.10.2\r\ncrypto ipsec transform-set TSET esp-aes esp-sha-hmac\r\n\r\n\r\n\r\ncrypto map CMAP 10 ipsec-isakmp\r\nset peer 10.10.10.2\r\nset transform-set TSET\r\nmatch address Crypto_Acl\r\n\r\n\r\ninterface Gi1\/0\r\ncrypto map CMAP\r\n\r\nip route 0.0.0.0 0.0.0.0 10.10.10.2<\/pre>\n
                       <\/p>\n<\/div>\n
                      Palo Alto<\/h2>\n
                        \n
                      1. Create a tunnel and assign the tunnel to VPN Zone<\/li>\n<\/ol>\n
                        \"Figure
                        Figure 3.66: create a tunnel<\/figcaption><\/figure>\n
                        2. Create a static route with following information:<\/p>\n
                        \n
                        Destination Address: 192.168.20.0\/24<\/p>\n
                        Interface: tunnel1<\/p>\n
                        Next Hope: none<\/p>\n<\/div>\n
                        \"\"
                        Figure 3.67: create a static route<\/figcaption><\/figure>\n
                         <\/p>\n
                        3. Create a Policy that allows the traffic from Trust Zone to VPN Zone and vice versa.<\/p>\n
                        \"\"
                        Figure 3.68: create two policies<\/figcaption><\/figure>\n
                        4. Create an IKE profile with following information:<\/p>\n
                        \n
                        Name: IKEProfile<\/p>\n
                        DH Group: Group5<\/p>\n
                        Authentication: md5<\/p>\n
                        Encryption: aes-128-cbc<\/p>\n<\/div>\n
                        \"\"
                        Figure 3.69: create a IKE Crypto Profile<\/figcaption><\/figure>\n
                         <\/p>\n
                        5. Create an IPSEC profile with following information:<\/p>\n
                        \n
                        Name: IPSECProfile<\/p>\n
                        DH Group: Group2<\/p>\n
                        Authentication: sha1<\/p>\n
                        Encryption: aes-128-cbc<\/p>\n<\/div>\n
                        \"\"
                        Figure 3.70: create a IPSEC Crypto Profile<\/figcaption><\/figure>\n
                         <\/p>\n
                        6. Create an IKE Gateway with following information:<\/p>\n
                        \n
                        Name: IKE_Gateway<\/p>\n
                        interface: ethernet 1\/1<\/p>\n
                        Local IP Address: 10.10.10.2\/24<\/p>\n
                        Peer Address: 10.10.10.1<\/p>\n
                        Pre-SharedKey: cisco123<\/p>\n
                        Advanced Options> Exchange mode: main<\/p>\n
                        Advanced Options> IKE Crypto Profile: IKEProfile<\/p>\n<\/div>\n
                         <\/p>\n
                        \"\"
                        Figure 3.71: create a IKE Gateway<\/figcaption><\/figure>\n
                        7. Create an IPSEC tunnel with following information:<\/p>\n
                        \n
                        Name: IPSEC<\/p>\n
                        Tunnel Interface: tunnel1<\/p>\n
                        IKE Gateway: IKE_Gateway<\/p>\n
                        IPSEC Crypto Profile: IPSECProfile<\/p>\n
                        Proxy ID: \u00a0 ProxyID: LocalRemote\u00a0 \u00a0 \u00a0 Local: 192.168.10.0\/24\u00a0 \u00a0 Remote: 192.168.20.0\/24<\/p>\n<\/div>\n
                        \"\"
                        Figure 3.72: create a Proxy ID<\/figcaption><\/figure>\n
                         <\/p>\n
                        8. Successful ping from 192.168.10.2 to 192.168.20.2<\/p>\n
                        \"\"
                        Figure 3.73: Verify successful ping<\/figcaption><\/figure>\n
                        9. Check status of your tunnel.<\/p>\n
                        \"\"
                        Figure 3.74: Verify tunnel status<\/figcaption><\/figure>\n
                        FortiGate<\/h2>\n
                          \n
                        1. Now, add the FortiGate device in the following diagram.<\/li>\n<\/ol>\n
                          \"\"
                          Figure 3.75: Main Senario and adding FortiGate<\/figcaption><\/figure>\n
                           <\/p>\n
                          2. Configure a custom VPN Tunnel with following information:<\/p>\n
                          \n
                            \n
                          • Remote Gateway<\/li>\n<\/ul>\n
                            IP Address: 10.10.10.2<\/p>\n
                            Interface: Port 3<\/p>\n
                              \n
                            • Authentication<\/li>\n<\/ul>\n
                              Method: Pre-shared Key<\/p>\n
                              Pre-shared Key: cisco123<\/p>\n
                                \n
                              • Phase 1 Proposal<\/li>\n<\/ul>\n
                                Encryption: AES128 \u00a0 \u00a0 \u00a0 Authentication: MD5\u00a0 \u00a0 Group: 5<\/p>\n
                                  \n
                                • Phase 2 Selectors<\/li>\n<\/ul>\n
                                  Local Address: 192.168.20.0\/24\u00a0 \u00a0 Remote Address: 192.168.10.0\/24<\/p>\n
                                  Advanced: Encryption: AES128 \u00a0 Authentication: SHA1\u00a0 Group: 2<\/p>\n<\/div>\n
                                  \"\"
                                  Figure 3.76: Remote IP address configuration<\/figcaption><\/figure>\n
                                  \"\"
                                  Figure 3.77: Pre-shared Key<\/figcaption><\/figure>\n
                                  \"\"
                                  Figure 3.78: Phase 1 Proposal<\/figcaption><\/figure>\n
                                  \"\"
                                  Figure 3.79: Local and Remote subnets<\/figcaption><\/figure>\n
                                  \"\"
                                  Figure 3.80: Phase 2 Proposal<\/figcaption><\/figure>\n
                                  3. Create a Security IPV4 Policy from Tunnel to Port2 and from Port2 to Tunnel and allow all traffic (NAT should be disabled)<\/p>\n
                                  \"\"
                                  Figure 3.81: Create two policies from tunnel to port2 and from port2 to tunnel<\/figcaption><\/figure>\n
                                  \"\"
                                  Figure 3.82: Create two policies from tunnel to port2 and from port2 to tunnel<\/figcaption><\/figure>\n
                                   <\/p>\n
                                  4. Create a static route with following information:<\/p>\n
                                  \n
                                  Destination: 192.168.10.0\/24<\/p>\n
                                  Interface: Tunnel<\/p>\n<\/div>\n
                                  \"\"
                                  Figure 3.83 Create a static route<\/figcaption><\/figure>\n
                                   <\/p>\n
                                  5. Verify your configuration ( FortiGate and Palo Alto)<\/p>\n
                                  \"\"
                                  Figure 3.84 Verify tunnel status<\/figcaption><\/figure>\n
                                  6. You should be able to ping from WebTerm2 to WebTerm3.<\/p>\n
                                  \"\"
                                  Figure 3.85 Verify successful ping<\/figcaption><\/figure>\n
                                   <\/p>\n
                                  Document is generated by Michael Sue<\/strong><\/p>\n","protected":false},"author":1562,"menu_order":4,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-1228","chapter","type-chapter","status-publish","hentry"],"part":123,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1562"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1228\/revisions"}],"predecessor-version":[{"id":1348,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1228\/revisions\/1348"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/123"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1228\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=1228"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=1228"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=1228"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=1228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}