How to configure GRE Tunnel between two Palo Alto devices

1.The purpose of the article

In this article, techbast will guide you to configure GRE Tunnel between two Palo Alto firewall devices so that the LANs on these two devices can connect to each other.

2.Diagram

Details:

Head office:

  • We have an internet connection connected to the Palo Alto Firewall 1 device on port ethernet1/1 with IP 192.168.235.128.
  • The LAN is configured with subnet 10.145.41.0/24.

Branch office:

  • We have an internet connection connected to the Palo Alto Firewall 2 device on ethernet1/2 port with IP 192.168.235.129.
  • The LAN is configured with subnet 172.16.16.0/24.

3.Scenario

Techbast will configure GRE Tunnel between 2 Head and Branch office sites so that the 2 LAN subnets 172.16.16.0/24 and 10.145.41.0/24 can connect to each other.

4.Step to take

Head office:

  • Create tunnel interface.
  • Create GRE tunnel.
  • Routing

Branch office:

  • Create tunnel interface
  • Create GRE tunnel
  • Routing

5.Configuration

5.1.Head office

5.1.1.Create tunnel interface

To create tunnel interface we go to Network > Interfaces > Tunnel > Click Add.

We need to configure 2 parts, Config and IPv4.

Configure Config according to the following parameters:

  • Interface Name: tunnel.5
  • Virtual Routers: select VR1
  • Security Zone: select Trust-Player3

Configure IPv4 with the following parameters:

  • IP: Click Add enter IP 192.168.3.1/24
  • Click OK

Click Commit to save the configuration changes.

5.1.2.Create GRE Tunnel

To create GRE tunnels go to Network > GRE Tunnels > Click Add.

Configure according to the following parameters:

  • Name: gre-to-PA2
  • Interface: ethernet1/1
  • Local Address: IP-select ip 192.168.235.128/24 from drop-down menu
  • Peer Address: enter PA2’s WAN IP as 192.168.235.129/24
  • Tunnel Interface: select tunnel.5
  • Click OK

5.1.3.Routing

We need to route the branch office site subnet 172.16.16.0/24 through tunnel.5 port.

To route to Network > Virtual Routers > click on the VR1 name to edit the configuration.

Please note that in the interface panel in the Route settings tab we must have 3 ports: ethernet1/1 is the wan port, ethernet1/2 is the LAN port, and tunnel.5.

Next, we go to the Static Routes tab at the IPv4 table, we click Add to add static routes with the following parameters:

  • Name: route-gre
  • Destination: 172.16.16.0/24
  • Interface: select tunnel.5
  • Next Hop: select IP Address – enter 192.168.3.2
  • Click OK 2 times to save

Click Commit to save the configuration changes.

5.2.Branch office

5.2.1.Create tunnel interface

To create tunnel interface we go to Network > Interfaces > Tunnel > Click Add.

We need to configure 2 parts, Config and IPv4.

Configure Config according to the following parameters:

  • Interface Name: tunnel.5
  • Virtual Routers: select VR1
  • Security Zone: select Trust-Player3

Configure IPv4 with the following parameters:

  • IP: click Add and enter 192.168.3.2/24
  • Click OK

Click Commit to save the configuration changes.

5.2.2.Create GRE Tunnel

To create GRE tunnels go to Network > GRE Tunnels > Click Add.

Configure according to the following parameters:

  • Name: gre-to-PA2
  • Interface: ethernet1/1
  • Local Address: IP-select ip 192.168.235.129/24 drop-down menu
  • Peer Address: enter PA1’s WAN IP as 192.168.235.128/24
  • Tunnel Interface: select tunnel.5
  • Click OK

5.2.3.Routing

We need to route the branch office site’s subnet 10,145.41.0/24 through tunnel.5 port.

To route to Network > Virtual Routers > click on the VR1 name to edit the configuration.

Please note that in the interface panel in the Route settings tab we must have 3 ports: ethernet1/1 is the wan port, ethernet1/2 is the LAN port, and tunnel.5.

Next we go to the Static Routes tab at the IPv4 table, we click Add to add static routes with the following parameters:

  • Name: route-gre
  • Destination: 10.145.41.0/24
  • Interface: select tunnel.5
  • Next Hop: select IP Address – 192.168.3.1
  • Click OK 2 times to save

Click Commit to save the configuration changes.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.