Site2Cloud (Aviatrix Gateway — PAN)¶
This document describes how to build an IPSec tunnel based site2cloud connection between Aviatrix Gateway and Palo Alto Netowrks (PAN) Firewall. To simulate an on-prem PAN Firewall, we use a PAN VM at AWS VPC.
Network setup is as following:
VPC1 (with Aviatrix Gateway)
VPC1 CIDR: 10.0.0.0/16
VPC1 Public Subnet CIDR: 10.0.1.0/24
VPC1 Private Subnet CIDR: 10.0.2.0/24
VPC2 (with PAN-VM)
VPC2 CIDR: 10.13.0.0/16
VPC2 Public Subnet CIDR: 10.13.0.0/24
VPC2 Private Subnet CIDR: 10.13.1.0/24
1. Launch PAN-VM with at least two network interfaces - One interface serves as WAN port and is in VPC2 public subnet. The other interface serves as LAN port and is in VPC2 private subnet. Collect the public IP address of the WAN port. | 2. At Aviatrix Controller, go to Gateway->New Gateway to launch an Aviatrix Gateway at VPC1 public subnet. Collect both public and private IP address of the Gateway. | 3. At Aviatrix Controller, go to site2cloud and click Add New to create a site2cloud connection:
|VPC ID/VNet Name||Choose VPC ID of VPC1|
|Connection Name||Arbitrary (e.g. avx-pan-s2c)|
|Remote Gateway Type||Generic|
|Algorithms||Uncheck this box|
|Encryption over DirectConnect||Uncheck this box|
|Enable HA||Uncheck this box|
|Primary Cloud Gateway||Select Aviatrix Gateway created above|
|Remote Gateway IP Address||Public IP of PAN-VM WAN port|
|Pre-shared Key||Optional (auto-generated if not entered)|
|Remote Subnet||10.13.1.0/24 (VPC2 private subnet)|
|Local Subnet||10.0.2.0/24 (VPC1 private subnet)|
4. At Aviatrix Controller, go to site2cloud page. From site2cloud connection table, select the connection created above (e.g. avx-pan-s2c). Select Generic from Vendor drop down list and click Download Configuration button to download the site2cloud configuration. Save the configuration file for configuring PAN-VM. | | 5. Log into PAN-VM and configure it as following: | | 5.1 Go to Network->Interface->Tunnel, click Add to create a new tunnel interface and assign the following parameters.
|Virtual Router||Select the existing virtual router|
|Security Zone||Select the layer 3 internal zone from which traffic originates|
If the tunnel interface is in a zone different from the one where the traffic will originate, a policy needs to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
|Interface||PAN WAN port|
|Peer IP Address||Aviatrix Gateway public IP|
|Pre-shared Key||Key from site2cloud configuration downloaded at Step 4|
|Peer Identification||IP Address & Aviatrix Gateway private IP|
|IKE Crypto Profile||Select the profile created at Step 5.2|
|Tunnel Interface||Tunnel interface created at Step 5.1|
|IKE Gateway||IKE gateway created at Step 5.3|
|IPSec Crypto Profile||IPSec crypto profile created at Step 5.4|
|Local||VPC2 private subnet CIDR|
|Remote||VPC1 private subnet CIDR|
|Destination||VPC1 private subnet CIDR|
|Interface||Tunnel interface created at Step 5.1|
- At AWS portal, configure the VPC Route Table associated with the private subnet of VPC2. Add a route destinating to VPC1 private subnet with PAN-VM LAN port as the gateway.
- Send traffic between VPC1 and VPC2 private subnets. At Aviatrix Controller, go to Site2Cloud page to verify the site2cloud connection status.
For troubleshooting, go to Site2Cloud->Diagnostics and select various commands from Action drop down list.
For support, send email to email@example.com.