topic VPN port and default port the same? in General Topics

VPN port and default port the same?

Neo.The.One — Wed, 22 Oct 2014 08:27:28 GMT

Hallo all,

i have only one phyical ethernet interface on firewall which is facing the internet. I also want to make this PA firewall as an IPSEC Tunnel endpoint. So all my internal traffic uses this ethernet interface to go to internet. And VPN traffic should terminate on the same interface.

Is this possible? If yes, how can I implement it? Any documentation or procedures?

Thanks a lot!

Re: VPN port and default port the same?

HULK — Wed, 22 Oct 2014 08:56:59 GMT

Hello Amit,

I hope you are using this PAN firewall only to scan traffic. If so, you can implement above mentioned setup. You have to configure different route for both physical interface and through the VPN tunnel.

For example:

>>>>> For all internet traffic through physical interface : Destination 0.0.0.0 - next hop ISP ipaddress ( next hop)

>>>>> For VPN traffic : Destination : source subnet behind IPSec tunnel , interface- tunnel.xx, next hop- None

Hope this helps and let us know the result.

Thanks

Re: VPN port and default port the same?

Neo.The.One — Wed, 22 Oct 2014 09:40:22 GMT

Hi Hulk

Ok I will try it out and let you know.

Also, in the VR, I should always mention either the Interface or the Next Hop, but not both, right?

Re: VPN port and default port the same?

santonic — Wed, 22 Oct 2014 10:49:24 GMT

Yes, you can use single ethernet interface towards internet for all functionality: user access to web, IPSEC VPN termination, GlobalProtect portal and gateway, external management of firewall (in that case mgmt port changes to 4443)..

Re: VPN port and default port the same?

hshah — Wed, 22 Oct 2014 14:50:06 GMT

Hi Amit,

You can achieve this through static route. You need to create two sort of static route.

1. Default route pointing towards ISP ethernet interface.

2. Set of static routes Pointing towards tunnel interace. But for that make sure those routes exist in Proxy IDs of IPsec tunnel.

Let me know if this helps.

Regards,

Hardik Shah

Re: VPN port and default port the same?

HULK — Wed, 22 Oct 2014 15:01:03 GMT

Hello Amit,

In the VR, you may select both "interface" and "next-hop" at the same time in static route configuration. But, in common scenario,if IPSec tunnel is not configured with an IP, hence you may only select "interface" [ Outgoing interface] option.

Thanks

Re: VPN port and default port the same?

hshah — Wed, 22 Oct 2014 15:19:54 GMT

Hi Amit,

For any static route next hop is required just like another vendors.

But for static routes for tunnel, you can skip next hope. You can select it as none.

Many customers doesnt configure IP on Tunnel, hence they can just point route to tunnel and skip the next hop.

However if tunnel has IP address you can configure it, but its optional. Not a mandatory thing.

Regards,

Hardik Shah

Re: VPN port and default port the same?

dreputi — Wed, 22 Oct 2014 16:29:31 GMT

Hello Amit,

For the most part this is typically how most of the users will be using, ie 1 public ip and many services like outbound NAT, IPSec, GlobalProtect, Remote access etc. So this will work.

For outbound traffic, you will need the following:

-outbound NAT, translate source to the public IP

-appropriate static routes to default gateway as discussed earlier.

-security rules

For IPSec, you may follow this document:

How to Configure IPSEC VPN

Regards,

Dileep