Let's Talk About Palo Alto - Site to Site VPNs with Cisco Router

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to take a look at our next topic on the palo alto firewall which is going to be the site to site vpn so this is one of the features on the palo alto that we'll be able to test it's more advanced that doesn't require a license global protect does require a license so i'll walk you through the config because i've demoed it out just to see if it would work and it it kind of works but i'll go into more detail on that later so the way that the vpn process works on the palo alto firewall is no different than it does on a cisco box very similar operations and things like that so i'm not going to go into the the nitty-gritty details of how site-to-site vpns really work because i've covered that uh countless times on the channel already so if you want to know how site design vpn works go and check out some of the older content uh that's on here look up you know search for vpn on the on the channel you'll find vpns on the channel i've covered a lot of site design vpn so that's basically where we're at with that so what i'm going to do is i'm going to walk you through kind of the what needs to be configured in order for this to work here between a router and a firewall so we're going to do a little bit of initial configuration but we'll start on the palo alto we'll get the palo alto up and running and it configured and then we'll focus on the cisco router config and get it all squared away and then we'll work on uh getting follow-on operations up and running so let me go ahead and bust out my pen tool real quick and let's dive into this the process is actually very simple if you take a pa firewall and you take a you know take a cisco router and you have some sort of internet connectivity here in the middle whatever that might be right so we have some sort of internet connectivity here it could be internet it could be anything else 4g lte us engineers we don't care but behind it there's going to be something that we needed to connect so we have some sort of lan so we're going to do land 1 and we're going to do lan 2. this is going to give us the ability of playing around with a lot of different features so the way that you want to do this is obviously you're going to need your phase 1 communication which is going to be the communication from control plane to control plane this is going to be your encryption your authentication your group your hash all that type of stuff that doesn't change between the routers at all you also have your phase two right so this is gonna be the data plane so i'm gonna draw a tunnel here this is gonna be phase two and your data plane traffic is going to flow like a cell so it's going to be land to land communication now there's when it comes to the way that the pa does it there's an extra step what's called the the ike gateway and there's also the the ip sec tunnel and this allows it to do routed base tunnels so if we wanted to we could run a dynamic writing protocol over the pa firewall we're not going to demo that but we could if we wanted to but the idea with the way that pa works you configure your phase one config then you do your phase two you set up your i gateway then you have to set up your communication for the ib6 tunnel then you have to go in and have fifth step and you actually have to allow the communication from the firewall over the vpn access and all that type of stuff so there's a number of additional steps that need to happen in order for this to work it's not clean so i'm going to do my best to try to get it to work um a few times that i've demoed it it's i always miss little minor details because it's not a i don't have it memorized like i do on a cisco router there's actually less moving parts on a router and and even on an asa firewall than there is for palo alto palo alto requires a security policy in order to allow the traffic between the zones and to allow the traffic to come in on the box so there's a number of additional steps that we're gonna have to go through we're gonna start with the vpn stuff and then we'll work on the policies and then the static routing and all that type of stuff as we go along so it's going to take us a little bit to get through this video that's why i'm not spending a ton of time on the concepts on focusing more on the implementation so let's go ahead and dive into this config i'm going to go ahead and get out of the way and pull up our firewall here so um if you click on network and you expand network profiles there's a number of them here and we can see that there's a couple of already in place ike or phase one profiles here if we wanted to use them we could i am actually going to click on this guy here and delete all of them yes delete them all i don't want to have any of these crypto profiles here because i don't want there to be any overlap between the profile that i'm creating and the profile that the cisco router will have so we're going to add a crypto profile we're going to call this ike phase 1. let me go ahead and do this so with the dh group we're going to add here is this is going to be group 5 the authentication we're going to use is going to be sha1 the encryption we're going to use is aes128 we don't have to do anything additional with the lifetime because it's by default eight hours is fine so i'm going to click on ok there i phase 1 and then we're going to go to ike phase 2 for the sake here here at the crypto profile we're going to delete all those guys yes we're going to add in our own and we're going to call this ipsec phase 2. the protocol will be esp for the actual encryption of the data and then we're going to tell it what level we're going to use we're actually going to use esp256 cbc the reason why i'm doing that versus 128 is because with doing the ike crypto profile or iphase 1 we're using aes 128 so that's going to give me the ability of recognizing the difference between phase one and phase two it has absolutely nothing to do with how the actual vpn will work i'm just choosing to use a stronger encryption as the actual data data plane encryption then 128 256 is just a little bit stronger but the two for phase two comes into play with the 256. it's my weird way of correlating and then authentication this technically isn't authentication so it is but it isn't so authentication you obviously have um it's like if we meet in person i tell you that i'm going to be wearing a blue shirt and blue jeans and i show up wearing a green shirt and blue jeans you're gonna be like i don't think that's rob you know where integrity is if you send me a message and i check that message and i'm not sure if you mess with it there's a way for me to detect whether it is through like a hashing or back in the day you take an envelope you'd write a letter and you'd take a wax seal you'd stamp the seal on the envelope and if the seal was broken you knew that something had been tampered with no different than hey i have this conveniently placed bottle of frank's red hot right here when i bought it there was a seal on this if the seal is broken which it is i can open it i've used a little bit already that if the seal is broken i know this might have been tampered with and i don't want to use it so that just goes that's the authentication piece that you really should rename it to be integrity so the integrity we're going to add in here is just going to be sha-1 now over here this happens by default with the diffie-hellman group this is going to be pfs if you don't turn pfs on it'll automatically send group two right by default cisco routers don't do it and the first time i demoed this i was like why is this not working and i had to dig into the logs and it was just a big pain in the neck and i realized that you can just turn this off so no pfps we don't need pfs it's good if you want to prevent anti-replay and things like that but for right now we don't need it so it basically would just rehash everything if the vpn went down basically like a brand new spin up so we're going to go ahead and click on ok there and we now we have phase 2. the next thing we have to do is the ike gateway the ike gateway we're going to go ahead and add and in here we're going to call this ios 8 gateway and then we're going to be using ipv4 only there is the option of doing ikv v2 as well or igv2 preferred if you choose this one right here it'll make five attempts to do like version two then it'll fall back to ipv1 we're just going to roll iv one out of the gate the interface that we're going to be tying this to is going to be the ethernet one slash one the local ip address that we're going to be mapping to this to is going to be 10 or 101.00.10 the prip address on the remote side is going to be this should be 108.8 so 108.0.0.8 and it's going to be a pre-shared key so i'm going to come in here and type in cisco123 and confirm the pre-shared key cisco123 okay local identification if we wanted to be using we're using ike version 2 we could say local identification is going to be an ip address and fqdn all that type of stuff we're not going to be doing any of that underneath the advanced options we're going to enable nat traversal because by default on a cisco box it's turned on with with udp net translations or trans um through that the exchange mode we're going to choose to go main mode and we're going to turn off dead peer detection because it by default is not turned on either we could turn it on but we're turning off a lot of the things that aren't on on the other side and then if we want to do the crypto profile we're going to go ahead and grab the crypto profile there to tie it here so we know what's what's what so we're going to go there i'm going to go ahead and click on ok because you got to remember there is no if there we had the default or one of the other profiles we need to make sure that we associate that i'm going to go ahead and click on ok so that gives us our ike gateway and what i'm going to do now is i have to go scroll up a little bit to the ipsec tunnels now the ip6 tunnel we're going to go ahead and add a tunnel the name is going to be ipsec 2 ios 8 the tunnel interface that we're going to be tying to we don't have one currently set up so we're going to click on tunnel interface i'm going to come in here and i'm going to call this tunnel 18 between palo alto one and rod and uh router 18. the virtual router this is going to tie to is going to be the default virtual router and the security zone i don't actually have a security zone for that setup yet so i need to create one i'm going to click in here and go zone and call this vpn okay i'm going to go ahead and click ok there because then i need to you could use i've only i've haven't tested it if you map it to the the internet or the outside security zone i've always created a new zone and mapped it to it and gone that route the ipv4 address on this side we're going to add one and we're going to give it a ip address of 10.1.18.8 24. actually let me just do 10.1.8 there we go so that's going to be able to for me to communicate between palo alto 1 and ios 8. i'm going to go ahead and click on ok and the ike gateway that we're going to be using is we're going to click in here we have ios 8 gateway the ipsec crypto profile that we're going to be tying here is going to be ipsec phase 2 and if we click on proxy ids we don't have any information in there to give so we're going to go ahead and click on ok and we're going to if we wanted to do a manual key we could add a manual key in here but we're not going to do that because it'll automatically generate the security parameter index for us we're going to click on ok and then we're good to go there right now the bpn tunnel is down okay the next thing we wanted to go do is we have to click on policies and on security policy we need to create a policy to allow the communication between what we want to talk to and all that good stuff so i'm going to go ahead and create a new policy i'm going to call this the vpn policy it's going to be an inter zone policy the source zone we're going to call the the dmz ios 5 we're going to call the dmz ios4 we're going to call inside subinterface and inside do all that and we're going to go ahead and set the destination zone to be vpn so that's where we're going and that's basically where we're going back and forth from so in other words from the source we're going to have traffic coming from all the connections attached to the palo alto firewall going to the vpn zone and vice versa so as long as that information is coming back and forth you know traffic will be either coming from or going to and if we need to we can always add this in here this is one of the few places that i'm like okay i'm not a hundred percent sure if that's always needed or not but for right now we're good to go with what we have and then i'm going to click on the service we're going to allow everything the action is going to be allow and we're going to click on ok all right so we have all that squared away i'm actually going to move this all the way to the top because i want to see when it gets hits and i'm going to go ahead and i'm going to commit this config and commit there we're going to give that a couple of moments to do its thing i'm going to pause the video actually i have some other work to do let me go ahead and pull up these routers so under ios 8 we're going to come up here put a global config hostname is going to be ios 8 and then on interface gig zero zero ip address is gonna be 108.0.0.8 24. i'm going to no shut this guy interface gig 0 1 ip address is going to be 10.2.10.8 24. actually let me just go ahead and give it a dot one because that will mess me up down the road and we're going to go ahead actually you know what i'll go i'll say dot 8. uh yeah i'll do that one's fine uh we're gonna no shut this interface our firewall should be just about done doing its deployment and minimize that so we've got that in play for us and then we're going to type in router eigrp one oh there's our i forgot one step on the on the palo alto we'll type in network of 10.2. 10.0 24. and then router 10 do the same thing type in router or i'm sorry interface hostname of ios 10 and then the interface gig zero zero ip address of 10.2.10.8 10 24 no shut the interface i'm going to come in here and type interface loopback zero ip address of 10. 2.0.10 slash 32. well let's do slice24 i'm going to type in router eigrp 1 network of 10.0.0.0 0.255.255.255. that'll form us an eigrp adjacency with router 8 and it does so we're good to go there do show iprout we're good to go there now the firewall should be done with its deployment what i need to do is come over here to network virtual routers and i need to come underneath this guy create a static route that says it's going to be at a static route that in order to get to 10.2.0.0 16 i need you to point out to the destination of 10.1.8. which is going to be the fi which is going to be the other end of the tunnel so i'm going to have to create a tunnel on the on the router as well the interface that we're going to be going out is going to be tunnel 18 the next hop uh the destination sorry that's um anyway uh one of these days i'll get it right so this guy here is gonna be we'll use uh the we'll say site 2 subnets the destination is going to be 10.2.0.0.16. the interface we're going to point out is 10.tunnel.18 the ip address is going to be 10.1.8.8 and we're going to go ahead and click on ok that's our default route so we got a more specific route so that should send traffic over the vpn tunnel okay i'm going to go ahead and click on ok and i'm going to go ahead and commit that so that should be all i need to really worry about there i'm going to have to go underneath here and i need to create an ip route 0 to 3.0 sorry 10.1.0.0 0. yeah 255.255. 0.000 10.1.8.1 that's going to give configure my default route to wherever i've got to go underneath router eigrp one we're going to type in redistributed static and we're going to specify a metric value of some high value like that i'm also going to create an ip route a default one to 108.00 and i'm gonna once this guy is completely squared away there okay he's got everything up and running to this point which is good i'm gonna come back over here to the ip6 tunnels and you're going to see that the ip6 tunnel is going to stay down the status is online which means it should be working but it's not passing any traffic yet and that's expected if i was to pull up secure crt and look at this go ahead and log into him real quick let me go on the um the inet router real quick as well and i need to configure interface gig 4 ip address of 108.0.0.1.24 no shut it and then ip matt inside and i'm going to type in ipx's list standard nat and permit 108.0.0.0 24. there we go write that config so now when i go back to router up to the palo alto firewall and i ping host from a source should say ping source of 101.0.10 to a host of 108.0.0.8 i should get ping replies so what this basically tells me from an underlay perspective or from an internet connectivity perspective palo alto one can paying to ride a rate because i know i can ping it that means that i have internet reachability or simulated internet reachability the next thing i'm going to go do is back on the ios 8 i'm going to come in here and i'm going to type in the crypto i want to pull up the firewall and i want to go back to the the variables that i've put in here so we know that what we're going to be configuring crypto isocamp policy 10. i'm going to use the authentication of pre-shared key the encryption we're going to use is going to be aes and we're going to be using 128 120 is the default the group we're going to be using is 5 the authentication or i should say the hash is going to be a sha value and we're good to go there now i need to come in here and type in the crypto isocamp key value is going to be a clear text key and we're going to use cisco123 to an address of i'm going to be specific here i'm going to type in 101.0.0.10. next thing i need to do is come over back to the firewall click on the ipsec crypto and look at the values that are up here so i need to come in here type in crypto ipsec transform set of t set with the esp as my aes 256 is my encryption and my esp sha hmac as my integrity check and there we go now the next thing that i need to do is we're not configuring crypto maps at all no crypto maps here what we need to do is i need to create a crypto profile and then i'll create another tunnel on this router and this will be the ipsec ipv4 tunnel so i need to come in here type in crypto ipsec profile i'm going to call that profile and underneath here i'm going to type in set the transform set to be tset and then i'm going to exit out of here and type in interface tunnel 18 tunnel source is going to be gig zero zero the tunnel destination will be 101.0.0.10 the tunnel mode will be ipsec ipv4 and the ip address here will be 10.1.8. 24. and i'm gonna type in the tunnel protection is ipsec profile profile and assuming that i've done everything correctly the tunnel should come online and we should be good to go so everything worked out in that respect so ibus camp came on right there and the line protocol the tunnel came on so that means i should be able to do a show crypto ipsec or isa essay and i have an active tunnel by coming into an ipsec essay i i haven't actually started passing any traffic but the tunnel is up if i go back over here to ip6 tunnels the tunnel is now online so if i come in here and i go to say ios 10 and i do show ip route i should be able to ping theoretically speaking i should be able to ping let me go ahead and cancel that ping um 10.1.10.10. if everything works out i should be able to ping let's see why let's see what ios 8 has here for show ip route i have a static route going over let me go ahead can i ping 10.1.8.1 okay that's right i can't ping from there so let me go over here and let me ping hit the up arrow and we're going to do this paying from a source of 10.1.8.1 to a host of 10.1.8.8 cannot assign requested address so show interface tunnel dot tunnel tunneling tunnel.18 oh somehow i gave this guy i seriously do that i did hold on let me go to the ike gateway did i seriously give no i couldn't have done something that dumb tunnel 18 interfaces tunnel i did give this guy 18 or 8. why did i do that let me go give this a different ip let me go ahead and change this to be dot dot one that's my mistake guys sorry about that let me go ahead and click on okay go ahead and commit that config i know it works so i'll pause and we'll come back here in a second okay so i've updated that interface so if we come down here we should have this go ahead and try to do that one more time and we can ping across now which is good so now we can ping across if i go back to router 10 i try to do that ping again hopefully it'll work and let me let's do control shift six let's ping to um 10.1.17.17 because this should all point back to here let's do a show ip route i do have a default let's ping am i receiving any traffic come over the monitor and we have ike and esp are coming across which is what we want to see so we know we're good to go there so [Music] that's working if we wanted to we're pointing towards we're connected to all these links so they theoretically should just be coming up let me see if i can't ping from this is win 10-1 let me go ahead and let's ping dot 10.2.10.10 okay i can ping across the wire so this guy is obviously responding as we do a show ip interface brief we're pinging this ip if we ping 10.2.0.10 that also responds so we know the vpn's working did i not put in that firewall rule to allow the traffic to communicate i may not have that could be but if we come back over here to the network tab and the ipsec tunnel we can see that traffic is if we go tunnel info we can see traffic is being encapsulated de-encrypted so we know that it's working right if we come back over here to router 8 and we do a show crypto i'm sorry show yeah show crypto ipsec sa we're gonna see the traffic is being encrypted so we know the vpn's working if we were to come in here and do a pipe include pkts that's basically the breakdown so if i come over to router 10 and i go to global config and line bty 0 space 4 login is local and the transport input is all and i also type in iphtp server and iphtp authentication is local username is rob privilege level of 15 password of cisco now if i come back over here to this guy and i open up a web browser and i plug in to here 10.2.10.2.0.10 i should get a pop-up for logging credentials which i do which means i'm gonna type in rob and cisco which means the vpn is working i can reach ios 10 and if i pull this open and i telnet to 10.2.0.10 i get logging credentials for router 10. so that just that proves to you that the vpn's working i'm coming from windows 10 i'm coming here i'm jumping across the vpn tunnel and dropping on router 10. so there is a secure tunnel between palo alto one and ios eight and we can definitely tell that it's working because we come back over here we have packets being incremented so we know that it's working the way that we expect it to which is a good thing because if it wasn't that'd be a bad sign which also means that if we come back over here to the firewall we click on our policies and we look at security for vpn policy we scroll this bad boy over we should see a bunch of hits we have 14 hits there and if we look at the monitor tab we have active connections we have ssl we have 10.1.10.10 to 10.2.0.10 which is the loopback address of ios 10 which means that all of our communication is working the way that we need it to be so can we take this a step further and add dynamic routing we could i haven't tested that out yet that's something that's coming up in the near future i'll test that out now that i have it running you'll notice that a lot of the stuff that we're doing i'm not deleting many of the profiles like i'm keeping everything we've got going just to show you that the capabilities can run you know it's not configure something delete it configure something delete it i'm compounding the config as i go but i'm testing out individual features so theoretically speaking not one thing doesn't technically overlap with another for the most part so but this is working the way that we we would expect it to we'll take a look at goal level protect as well for remote access vpn in an upcoming set of videos but for right now as far as i'm concerned we are in the clear we've got we've got going on what we need to have going on in order for this to work until next time guys thanks so much for stopping by actually you know what let me do one more test rom 17 i should be able to ping 10.2.0.10 and there that worked okay and you know so from 10 i should be able to ping ping 10.1.17.7 okay so i think i know what the problem is here um so this is a unidirectional issue okay so uh if we come over here to the policy and we click on vpn policy the source is saying anything from any one of these to the destination of vpn but a vpn is the source but not the destination so if we were to come in here we add vpn to this and then we add destination we add in dmz this is the one thing i forgot to do earlier inside and sub interface we've added all these to these i'm going to go ahead and click on ok i'm going to commit this commit and i will pause while that finishes doing that by adding in vpn to inside now we're saying it's not just the inside of palo alto one to the vpn allow that flow or i should say don't allow that this traffic i want you to allow this traffic as well so all right with that applied i should be able to come back over here and ping and the pingo works now so if i was to telnet if i was to pay 10.0.10 now that would work as well if i was to tell that to 10.1.17.17 oops control shift six on that one control shift six x i have to wait bummer dude but you get the point so if we do that one more time the the telnet should work we should be able to log in and i can type in the right password obviously boom so we're telling that it in so that just goes to show you that the communication does work we go back to network and ipsec tunnels and we click on the tunnel info we are definitely passing traffic back and forth which means that we're working doing doing what we need to do so that being said now for for real this time now that i've updated the policy let's go back to the policy and just rehash what we took a look at on the vpn policy we go ahead and get out of the way click on this guy we're saying from the source if the source is vpn sub interface inside dmz ios 4 or 5 and or the destination is dmz ios4 4 5 inside sub interface or vpn allow the communication we're going to allow anything to come across we don't care what it is allow all the communication to happen but it's bi-directional communication so the policy was restricting us from communicating from router 10 to upstream because we were doing kind of a unidirectional flow so keep those things in mind as you're going forward that being said ladies and gentlemen again thanks for stopping by and we'll catch you guys in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 1,855

Rating: undefined out of 5

Keywords: Palo Alto, firewall, security, network, VPN, virtual private network, site to site, S2S, L2L, IKE, IPSEC

Id: mxe0-1E1nOw

Channel Id: undefined

Length: 35min 32sec (2132 seconds)

Published: Mon Sep 07 2020