https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-only-works-when-using-specific-ip/m-p/31576#M23086 <HTML><HEAD></HEAD><BODY><P>Thinking outloud here...</P><P></P><P>I would like to record voice traffic for VPN connected customer service agents.</P><P>Traffic comes in a VPN-HomeRouters tunnel from a 10. IP range.</P><P></P><P>The PBF works when setting source Zone and IP, Next Hop and 1 destination IP.</P><P>When i change the IP to a range then the forwarding gets skipped (i'm thinking because of the Virtual Router static route)</P><P></P><P>So i'm wondering if skipping the PBF altogether in a favor of a second Virtual router will do the trick.</P><P></P><P>The second VR would include the tunnel interface and e1/5 (my desired egress interface into the LAN) and have static routes matching that of the Main VR.</P><P></P><P>Bottom line I need VPN traffic to egress e1/5 in order to hit a spanned port.</P><P></P><P>Any voices in my head would be most welcome!</P><P></P><P>gary </P></BODY></HTML> Fri, 23 Nov 2012 22:11:05 GMT startech_netadmins 2012-11-23T22:11:05Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-only-works-when-using-specific-ip/m-p/31576#M23086 <HTML><HEAD></HEAD><BODY><P>Thinking outloud here...</P><P></P><P>I would like to record voice traffic for VPN connected customer service agents.</P><P>Traffic comes in a VPN-HomeRouters tunnel from a 10. IP range.</P><P></P><P>The PBF works when setting source Zone and IP, Next Hop and 1 destination IP.</P><P>When i change the IP to a range then the forwarding gets skipped (i'm thinking because of the Virtual Router static route)</P><P></P><P>So i'm wondering if skipping the PBF altogether in a favor of a second Virtual router will do the trick.</P><P></P><P>The second VR would include the tunnel interface and e1/5 (my desired egress interface into the LAN) and have static routes matching that of the Main VR.</P><P></P><P>Bottom line I need VPN traffic to egress e1/5 in order to hit a spanned port.</P><P></P><P>Any voices in my head would be most welcome!</P><P></P><P>gary </P></BODY></HTML> Fri, 23 Nov 2012 22:11:05 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-only-works-when-using-specific-ip/m-p/31576#M23086 startech_netadmins 2012-11-23T22:11:05Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-only-works-when-using-specific-ip/m-p/31577#M23087 <HTML><HEAD></HEAD><BODY><P>Hi Gary,</P><P></P><P>I couldn't understand the exact scenario ;however I would like to mention few points...</P><P></P><P>- PBF would work well for a single destination IP,Group of IPs or a subnet</P><P>- PBF got priority over the VR static routes (if it is applicable to source and destination zones)and PBF works from top to bottom.Please check&nbsp; </P><P>&nbsp; if you have any PBF on the top&nbsp; that overwirtes&nbsp;&nbsp;&nbsp; your PBF</P><P>- If you dont have an IP for tunnel interface and if you are trying to do a PBF with next hop as the tunnel interface,the forwarding decicion</P><P>&nbsp; wouldn't work . You should have tunnel interface with an IP address to make forwarding decision with PBF.</P><P>&nbsp;&nbsp; Else what you can do is -make tunnel interface unnumbered ,then make PBF as no forwarding and then add a static route in the VR</P><P></P><P>Hope this helps ... <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>thanks,Nikhil</P></BODY></HTML> Thu, 13 Dec 2012 08:54:21 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-only-works-when-using-specific-ip/m-p/31577#M23087 BFCBahrain 2012-12-13T08:54:21Z