I spent about 2 hours on the following scenario and located the root cause was lacking a static route on Palo Alto, so I decided to summarize every step here for further reference. Here is the topology:
EVE-NG Topology The left part is the office, and the right part is Internet 10.0.56.5 of R6 was NATed to IP: 10.0.17.3 by Palo Alto which establishes IPSec tunnel with R8: 10.0.78.8 Traffic from 22.214.171.124/24 to 126.96.36.199/24 will be forward over the #1 IPSec All device in ‘LAN’ could access ‘Internet’ via Port Translation
1. Initial Palo Alto
Console access Palo Alto with username/password: admin/admin, and configure MGMT IP 172.16.185.132 (I have bridged the mgmt interface of Palo Alto to my laptop). Here are the commands for the initialization:configure edit deviceconfig system set ip-address 172.16.185.132 netmask 255.255.255.0 commit
Note: Remember to execute ‘commit’ on CLI or Web GUI after the modification.
2. Navigate https://172.16.185.132 in the browser, login with the username/password: admin/admin
3. Configure Interface Profiles: Permit ping traffic from both LAN and Internet to Palo Alto interfaces for connectivities testing
Palo Alto-Interface management profile
4. Configure interface: ethernet1/1
Palo Alto-Interface configuration-Zone-1
Palo Alto-Interface configuration-Zone 2
Palo Alto-Interface configuration-IP Address-1
Palo Alto-Interface configuration-IP Address-2
Palo Alto-Interface configuration-Management Profile
5. Configure interface: ethernet1/2, almost same steps to ethernet1/1 but with different IP and Zone IP: 10.0.17.1/24, Zone: Internet.
6. Configured IPs, routing protocol on R5, R6, R7, R8 then run connectivity testing.
R5: Ethernet0/0 10.0.56.5/24, Ethernet0/1 10.0.15.5/24, Loopback0: 188.8.131.52/24, Default route with gateway: 10.0.15.1
R6: Ethernet0/0 10.0.56.6/24, Default route with gateway: 10.0.56.5
R7: Ethernet0/0 10.0.78.7/24, Ethernet0/2 10.0.17.7/24
R8: Ethernet0/0 10.0.78.8/24, Loopback0 184.108.40.206/24, Static route to 10.0.17.0/24 with next hop: 10.0.78.7
7. Configure routing on Palo Alto
Default route with next hop: 10.0.17.7
Static route to 10.0.56.0/24 with next hop 10.0.15.5
8. Configure PAT for Requirement #4: traffic from LAN to Internet
9. Creating Service group before the Security policy for IPSec traffic: UDP 500 and UDP 4500
Palo Alto-Service Group
10. Configure NAT for requirement #3 IPSec
Palo Alto-NAT-1 : Servie-IPSec
Note: The destination Address is the IP of Peer IP, the IP is: 10.0.78.8/32 in my case.
Optional: Set Service to ‘Any’ for all applications
Palo Alto-NAT-Optional: Service Any
Palo Alto-NAT/PAT-Overall view of Step 9 and Step 10
11. Since LAN and Internet are two different zones, security policies are required for the traffic. From LAN to Internet:
Palo Alto-Security Policy-1
Palo Alto-Security Policy-2
Palo Alto-Security Policy-3
Palo Alto-Security Policy-4
12. Security policy for IPSec
Palo Alto-Security Policy
13. Verify connectivities on all routers
Note: Security policy for Ping traffic in two different Zones, Ping will fail if only the application: ICMP was permitted, the service: ‘Ping’ is also required.
14. Configure IPSec on R6 and R8. Check all routers configuration from here .
15. On R5, execute ‘ping 220.127.116.11 source 18.104.22.168’LAN-R5#ping 22.214.171.124 source 126.96.36.199 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: Packet sent with a source address of 184.108.40.206 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms LAN-R5# LAN-R6#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.0.78.8 10.0.56.6 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
Internet-R8#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.0.78.8 10.0.17.3 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA