topic Re: Inter-VR-Routing from Branch Office in General Topics

Inter-VR-Routing from Branch Office

Retired Member — Tue, 12 Dec 2017 12:44:26 GMT

Hey all!

I am working on a Inter-VR Routing issue and would ask you for some input, how's a best practise..

In Headquarter we have two VR's (2 Internet Routers), to reach the old official IP's there was build a DMZ2, which is in the secoundary VR ISP2. With the route in the default VR, which i say the /24-Network in this VR goes in Next Hop to VR ISP2 i can reach everything from headquarter.

Now i want it reachable from a branch office, is it enough to make a route to the IPSec-Tunnel, or would you do this at another way? (and surely i need the policies in the specific zones from branch office to DMZ2)

I'm very glad for your input 🙂 - here is a picture, i try to come from right side (Branch office) and try to reach DMZ two in HQ.

Christian

Re: Inter-VR-Routing from Branch Office

pulukas — Tue, 12 Dec 2017 13:56:49 GMT

When workstations at the branch go to access services in DMZ2 what ip address will the urls resolve to?

Will they get these internal ip addresses or the public ip addresses using NAT on the PA3020?

If they get the internal address for the resources, then I think sending this accross the VPN is the best approach.

Re: Inter-VR-Routing from Branch Office

Retired Member — Tue, 12 Dec 2017 14:01:03 GMT

hey, thanks for answer.

they get these internal ip addresses...

i'll try to make the static route in the tunnel, i'm just not sure then to come to the secound VR with it or if i forgett something in this case (and if its workiong with the higher metric for the same route in the tunneL) ..so many questions 😄

and aswell, i'm thinking about enable the OSPF in the secound vr too

Re: Inter-VR-Routing from Branch Office

Retired Member — Tue, 12 Dec 2017 15:53:34 GMT

OK it just works with the simple static route inside the vpn tunnel 🙂

Re: Inter-VR-Routing from Branch Office

pulukas — Sat, 16 Dec 2017 17:56:50 GMT

Glad you have it working. Basically you only need to create VR instances when routing separation is needed for traffic. For internal routes like this that would rarely be the case.

If you did have multiple paths back for the internal traffic OSPF can be a convenient way to have the routes failover between the connections, especially when they are VPN tunnels.