topic Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA in General Topics

VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

MattShuter — Tue, 29 Jul 2014 13:29:15 GMT

Remote site has a PA-200

HQ has a PA-2020.

I have the VPN setup between the two so that they are connected to each other.

I need the internet traffic from the remote site to pass through our content filter that is connected to the PA-2020 at the HQ.

the content filter is not seen by any devices, it is transparent to all devices

Traffic flow from a laptop at the remote site to the internet would look like this:

Laptop --> PA-200 -----VPN----> PA-2020 (HQ) ----> content filter (transparent) ----> HQ core switch ------> content filter (transparent) ----> PA-2020 (HQ) ----> internet

Does that make sense?

Thanks for any assistance.

Matt

Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

HULK — Tue, 29 Jul 2014 14:31:38 GMT

Hello Matt,

It looks good to me. Since, traffic traversing through PAN firewall twice, we may need to perform a source NAT for this traffic at HQ core switch. A source NAT with ensuring the symmetric return of the traffic through the HQ core switch.

As per my understanding, your traffic is flowing like above mentioned diagram. The green line is for return traffic from internet. So, only a source NAT in your HQ core switch can ensure the return traffic to go back to HQ core through content filter. Otherwise, if you perform NAT on PAN firewall, return traffic will not travese through HQ core and content filter, since PAN firewall will identify the direct route to reach remote user's subnet through VPN tunnel.

Hope this helps.

Thanks

Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

MattShuter — Tue, 05 Aug 2014 17:59:32 GMT

Thanks.

The internet traffic is not hitting the core switch, only the internal traffic.

Do I need to adjust my route table on the remove VPN to direct traffic to the core switch ip instead of the PA-2020?

I am going to try this to see what it does...but I don't think it will work.

What if I had another device on the other side of the core switch?

a vpn concentrator, or even another PA box.

Would it be possible to simply NAT (bi-directional) the VPN traffic from public ip on PA-2020 to internal ip of other device?

remote site PA-200 public ip ----> PA-2020 public IP ----> (NAT) -----> PA-200 internal ip

then, internet traffic would go out via the core, pass through the content filter, and then back in...

Thanks again.

matt

Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

MattShuter — Tue, 05 Aug 2014 19:15:44 GMT

or...

how do I setup the PA200 split traffic...

internal, 10.x.x.x via the VPN

internet, 0.0.0.0 except 10.x, via the internet connection?

tried two routes, but they didn't split the traffic, everything still going over the vpn...unless I didn't get the right combination of interface/route/next hop/etc.

Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

HULK — Tue, 05 Aug 2014 19:36:58 GMT

You need to configure a specific route through VPN tunnel ( based on destination) and a default route for all internet traffic. The PAN firewall will search for a longer match first ( through the tinnel).

Thanks

Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

MattShuter — Fri, 08 Aug 2014 19:21:48 GMT

I was able to get this to work, the traffic split between VPN and local internet access...realized I was using the wrong next hop address for my internet traffic

Re: VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

HULK — Fri, 08 Aug 2014 19:31:03 GMT

Thank for the update.