Re: Cisco ASA as a VPN concentrator

arpitshrm84 · ‎03-06-2020

Hi Guys,

We are migrating our DC firewalls from ASA to the Palo Alto. We will be moving the whole configuration to the PA except the SSL Client VPN.

We want to use the ASA just for AnyConnect and rest all functionality should be there on PA. Since all firewalls in our environment are ASA's and we'll be migrating to PA phase-wise hence our plan is to keep AnyConnect at all the locations including this one till full migration.

Can someone help me with how this can be done?

Thanks

balaji.bandi · ‎03-06-2020

you can leave the VPN based config as in to ASA and migrate rest.

But you need to re-IP for Palo external side IP, since ASA already using same IP address.

Other than that you can build the configuration on Palo and deploy along with ASA in the network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

arpitshrm84 · ‎03-06-2020

Thanks for your response.

Can you please suggest me the steps involved as I'll be doing it for the first time?
Also, I have to connect ASA & PA with a P2P link. Am I right?

Marvin Rhoads · ‎03-07-2020

Create a DMZ interface on the Palo Alto where you connect the ASA - either directly or via a switch with a DMZ VLAN. Create a NAT rule for the ASA's outside interface to a public address on the Palo Alto outside interface - it could even be the same address formerly used as by the ASA. Create an ACL entry on the Palo Alto allowing incoming https traffic to the ASA to service the SSL VPN users.