https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/530391#M885 <P>Hey all,</P> <P>We have 3 firewalls:</P> <P>C1 = Cisco FW - Policy based S2S VPN -- subnet behind it 10.1.0.0/24</P> <P>P2 = Palo FW - Route based S2S VPN&nbsp;-- subnet behind it 172.16.50.0/24</P> <P>C3 = Cisco FW - Policy based S2S VPN&nbsp;-- subnet behind it 192.168.20.0/24</P> <P>&nbsp;</P> <P>We have S2S tunnels as: C1 &lt;---- tunnel.1---&gt; P2 &lt;-----tunnel.2-----&gt; C3</P> <P>Proxy ID on P2 are:</P> <P>For tunnel.1 = local:&nbsp;172.16.50.0/24, remote:&nbsp;10.1.0.0/24</P> <P>For tunnel.2 = local:&nbsp;172.16.50.0/24, remote: 192.168.20.0/24</P> <P>Routing is all static.</P> <P>&nbsp;</P> <P>Now 10.1.0.50 wants to reach 192.168.20.79. There cannot be a direct tunnel between C1 and C3 and hence this needs to go through P2. This is currently now working. If I add the both the remote proxy ids to both the tunnels, then atleast 1 tunnel and sometimes both go down.&nbsp;</P> <P>&nbsp;</P> <P>How can I get this working? Where and how do I add Proxy IDs?</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> Wed, 08 Feb 2023 23:33:03 GMT rjdahav163 2023-02-08T23:33:03Z https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/530391#M885 <P>Hey all,</P> <P>We have 3 firewalls:</P> <P>C1 = Cisco FW - Policy based S2S VPN -- subnet behind it 10.1.0.0/24</P> <P>P2 = Palo FW - Route based S2S VPN&nbsp;-- subnet behind it 172.16.50.0/24</P> <P>C3 = Cisco FW - Policy based S2S VPN&nbsp;-- subnet behind it 192.168.20.0/24</P> <P>&nbsp;</P> <P>We have S2S tunnels as: C1 &lt;---- tunnel.1---&gt; P2 &lt;-----tunnel.2-----&gt; C3</P> <P>Proxy ID on P2 are:</P> <P>For tunnel.1 = local:&nbsp;172.16.50.0/24, remote:&nbsp;10.1.0.0/24</P> <P>For tunnel.2 = local:&nbsp;172.16.50.0/24, remote: 192.168.20.0/24</P> <P>Routing is all static.</P> <P>&nbsp;</P> <P>Now 10.1.0.50 wants to reach 192.168.20.79. There cannot be a direct tunnel between C1 and C3 and hence this needs to go through P2. This is currently now working. If I add the both the remote proxy ids to both the tunnels, then atleast 1 tunnel and sometimes both go down.&nbsp;</P> <P>&nbsp;</P> <P>How can I get this working? Where and how do I add Proxy IDs?</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> Wed, 08 Feb 2023 23:33:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/530391#M885 rjdahav163 2023-02-08T23:33:03Z https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/530427#M887 <P>For tunnel.1 you will have to use local PID # 192.168.20.0/24 , remote 10.1.0.0/24<BR />For tunnel.2 you will have to use local PID # 10.1.0.0/24 , remote 192.168.20.0/24<BR />remember to allow communication on your security policy from your VPN_ZONE to VPN_ZONE</P> Thu, 09 Feb 2023 04:32:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/530427#M887 murali438 2023-02-09T04:32:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/616480#M4976 <P>Hello Everyone, what happens when you have more than one subnet on both sides?&nbsp;&nbsp;</P> <P>Say I have Side A with 10.6.10.0/24 and 10.6.20.0/24 and on side B I have 10.1.10.0/24 and 10.1.20.0/24.&nbsp; Nothing overlaps, but please tell me what the proxy ID's would look like.</P> <P>I just have a single tunnel created between them.</P> Sun, 10 Nov 2024 18:15:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/616480#M4976 RusselMoos 2024-11-10T18:15:15Z https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/616482#M4977 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1643922715">@RusselMoos</a>&nbsp;,</P> <P>&nbsp;</P> <P>Assuming that you need connectivity between all you distant subnet, then your Proxy-ID will have 4 rules, as follows for side A:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CosminM_0-1731263641659.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63884iC07D486E9FDFA3F1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CosminM_0-1731263641659.png" alt="CosminM_0-1731263641659.png" /></span></P> <P>&nbsp;</P> Sun, 10 Nov 2024 18:35:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/616482#M4977 CosminM 2024-11-10T18:35:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/616484#M4978 <P>Thank you Cosmin!&nbsp; I will give that a try.</P> Sun, 10 Nov 2024 18:42:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/where-to-add-proxy-id-with-multiple-tunnels/m-p/616484#M4978 RusselMoos 2024-11-10T18:42:52Z