Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3208
Views
0
Helpful
4
Replies

IPSec site to site - ASA dynamic and Palo Alto static

networkops3
Level 1
Level 1

‎12-07-2016 02:50 AM - edited ‎02-21-2020 09:05 PM

Has anyone had any experience with the following:

i have an ASA 5510 at a branch location and im trying to set up an ipsec s2s between the two. The ASA gets its external address from the the provider via dhcp and the Palo Alto is static.

When configuring the Palo end, i set the peer device as dynamic. However it still requires an identifier, either an IP address or a FQDN. Is there a way of setting up a FQDN within the ASA e.g something@mycompany.com so the Palo can use this?

Labels:
0 Helpful
4 Replies 4

Shakti Kumar
Cisco Employee
Cisco Employee

‎12-07-2016 10:12 AM

hello networkops3 ,

FQDN is generally used in case wherein the authentication is via certificate in case of authentication via pre-shared key we generally use identity as IP address

You can look at the current identity set on asa from the output of

sh run all crypto isakmp

please consider other tunnels as well since making any changes for identity might affect other tunnels.

Please mark as correct if helpful

thanks

Shakti

0 Helpful

networkops3
Level 1
Level 1
In response to Shakti Kumar

‎12-07-2016 04:11 PM

Hi Shakti,

Using the IP address is not an option as there is no guarantee of retaining that IP fas its DHCP. In the end i used - crypto isakmp identity hostname.

This worked after leaving the ASA disconnected and getting a new IP from ISP.

0 Helpful

ANDREA GELATI
Level 1
Level 1
In response to networkops3

‎03-09-2017 11:08 AM

Hi

try this,

pr-fw01(config)# crypto isakmp identity ?

configure mode commands/options:
  address   Use the IP address of the interface for the identity
  auto      Identity automatically determined by the connection type: IP
            address for preshared key and Cert DN for Cert based connections
  hostname  Use the hostname of the router for the identity
  key-id    Use the specified key-id for the identity
pr-fw01(config)# crypto isakmp identity k
pr-fw01(config)# crypto isakmp identity key-id ?

configure mode commands/options:
  WORD  key-id string
pr-fw01(config)# crypto isakmp identity key-id "peer_identified"

Andrea

0 Helpful

gihanucsc
Level 1
Level 1
In response to networkops3

‎06-28-2018 12:23 AM

It's been a while for this thread but wanted to give it a shot. 

 

I have a similar situation but the remote end is a C867VAE with a 3G Sim card. I tried using the hostname as the tunnel identifier but still I see Phase1 mismatch issues from PA end.

I even tried enabling NAT-T on both ends (no crypto ipsec nat-transparency udp-encapsulation). However, the PA sees IKE messages from three different public IP's ( different IP's assigned for NAT'ing through the mobile service provider) and using the hostname hasn't worked for me either. 

 

Has anyone had luck with this in a similar 3G setup? 

 

Thanks,

Gihan

0 Helpful
Customers Also Viewed These Support Documents