This way the ASA can return pings to 172.16.0.1 and the tunnel will remain up. These pings will be sourced from the outgoing interface, tunnel.1 This is why we needed to give it an IP and then advertise that subnet to the ASA. This will send pings to 192.168.3.1 (The ASA’s lan interface). Notice on this tunnel we use the “tunnel monitor”. Tunnel one will be to the main circuit of the ASA. Let’s finish the tunnels off by creating two IPSEC tunnels. Now we need to create two IKE Gateways, one for each WAN circuit at the ASA. Now create a route for the East lan of 192.168.3.0/24 with the next hop interface as tunnel 1, this tunnel should have a normal distance of 10Ĭreate a second route for the East lan of 192.168.3.0/24 with the next hop interface as tunnel 2, this tunnel should have a distance of 11 The Cisco ASA does NOT support route based VPN. This network will be advertised to the ASA and this is NOT a route based VPN. We require one with an IP because we will be sourcing pings from it later. Put them both in the trusted zone so that VPN traffic will flow properly without rules. This side is going to be mainly screenshots.įirst configure 2 tunnel interfaces, 1 with an IP of 172.16.0.1 and one without an IP. Nat (inside,outside2) source static EASTNETWORKS EASTNETWORKS destination static EASTNETWORKS EASTNETWORKS no-proxy-arp route-lookupĬrypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmacĬrypto map outside_map 10 match address VPNĬrypto map outside_map 10 set peer 20.0.2.2Ĭrypto map outside_map 10 set ikev1 transform-set ESP-AES_SHAĬrypto map outside_map interface outside1Ĭrypto map outside_map interface outside2 Nat (inside,outside1) source static EASTNETWORKS EASTNETWORKS destination static EASTNETWORKS EASTNETWORKS no-proxy-arp route-lookup Now let’s configure the Site to Site VPN: object network LANĪccess-list VPN extended permit ip 192.168.3.0 255.255.255.0 object-group EASTNETWORKS
#Palo alto networks vpn to asa multiple tunnels how to#
I’m assuming you’ve already configured WAN failover, but if you have not click here to learn how to do that. Let’s assume at the ASA side 20.0.3.2 is our primary WAN circuit and 20.0.4.2 is the backup circuit we have just added. Today I’m going to show you exactly how to configure IPSEC failover between a Cisco ASA and A Palo Alto.
0 kommentar(er)
