Dec 31, 2012

How to configure a basic S2S VPN in Palo Alto


 Here's a quick how to for setting up a very simple S2S IPSEC VPN on a Palo Alto.
  1. Create a tunnel interface
    • Here you will also create the security zone that will be used
  2. Create the IKE Gateway and specify your tunnel’s security zone
    • Include the Peer address and your outside interface
  3. Create your IKE crypto policy
  4. Create your IPSEC crypto policy
  5. Create a new IPSEC Tunnel using the IKE/IPSEC Crypto policies you made.  
    • Also create under this any Proxy IDs you may require to conform with a Cisco IPSEC VPN.  They're very similar to policies that you might create on a netscreen.
  6. Create 2 new policies for the inbound and outbound traffic via the S2S VPN.
    • These are typically the local and remote destination networks.  You need to put them in twice for inbound and outbound permissions.
  7. Add the tunnel interface to the default virtual router and add the static routes to your remote network via your tunnel interface.
Remember that when creating a S2S with any Cisco device, you will need to use Proxy IDs.  They mimic the ACLs that Cisco uses to define interesting traffic and are needed during the initial P2 setup.

 Enjoy!  Let me know if there are any question.  

 - David Pagán

Posted by at 1 comment:

Dec 24, 2012

Port Redirection on Cisco ASA 5500 (8.4 Code)


I figure I would make this one of my first posts since this is a recent change I made at my network.  

 How to do Port Redirection on a Cisco ASA running code train 8.4.x

First you need to identify your internal host and create an object to it:

object network obj-10.10.10.170
 host 10.10.10.170
!

Next you need to create the object for your outside natted address:

object network obj-20.20.20.170
 host 20.20.20.170
!


Now you create the actual internal port that you are redirecting.

 object service obj-tcp-8080
 service tcp source eq 8080
!

Next we'll create the port mapping to the external natted address.

object service obj-tcp-80
 service tcp source eq 80
!

Once this is all complete we mesh everything all together and have a wonderful config like this:

nat (inside,outside) source static obj-10.10.10.170 obj-20.20.20.170 service obj-tcp-8080 obj-tcp-80


With this complete we have successfully created a port mapping.  As with any other static nat, make sure it is placed before the dynamic nat for all other traffic.  As so:

nat (inside,outside) source static obj-10.10.10.170 obj-20.20.20.170 service obj-tcp-8080 obj-tcp-80
nat (inside,outside) source dynamic any interface description DEFAULT_NAT

You can confirm that the configuration was successful by checking your xlate.

asa5510# show xlate
TCP PAT from inside:10.10.10.170 8080-8080 to outside:20.20.20.170 80-80
    flags sr idle 0:22:33 timeout 0:00:00

Hope this is helpful to others.  I got a lot of useful information from this link: https://supportforums.cisco.com/thread/2169361.

Thanks

David P.
Posted by at 1 comment:

Welcome to The Network of Innovative Engineers BlogSpot!


First an introduction:

Network of Innovative Engineers (NIE) is a new kind of consulting company that plans to give placement to low-mid-high level administrators and engineers by networking with other engineers in IT Infrastructure positions.  What differentiates us from other companies is that we build close relationships with all our engineers that allows us to work together and keep connections throughout multiple industries. 


The way we would like this blogspot to work is to discuss and open up conversation on many of networkings best practices and techniques used in the real world.  We'll often bring up challenges we face in our everyday jobs and projects.  Feel free to chime in and give us your ideas of other techniques to use as well.

Thanks for visiting!

David P.
Posted by at No comments:
Subscribe to: Posts (Atom)