topic Re: VPN tunnel to a firewall NOT internet facing in General Topics

VPN tunnel to a firewall NOT internet facing

superture — Wed, 09 May 2018 09:43:47 GMT

Hi,

I have a scenario with two sites which has two sets (HA) of firewalls, external and internal. So external handles everything internet and behind the internal the datacenter resides. Clients are in between.

We have MPLS between the sites which terminate in the internal firewall.

Now we want to setup site-to-site vpn as a backup for MPLS failure. Since there is a lot of routing in place we would like the tunnels to terminate in the internal firewalls.

How would you setup this? 🙂

NAT, PBF, etc...

Thanks

Magnus

Re: VPN tunnel to a firewall NOT internet facing

davanderson — Wed, 09 May 2018 12:17:23 GMT

You would normally have a dynamic routing protocol setup to allow traffic from one site to another via your MPLS network. Then you can easily use your default route to send traffic to the Internet firewall for your backup VPN tunnel.

This is an example of how a network would likely be setup to serve the function you describe. When the MPLS goes down, you lose the dynamic routes and the VPN kicks in.

Re: VPN tunnel to a firewall NOT internet facing

superture — Wed, 09 May 2018 14:03:06 GMT

Haha looks great!

But... suppose we have a lot of static routing and really want to terminate tunnel on the internal firewalls?

Re: VPN tunnel to a firewall NOT internet facing

davanderson — Wed, 09 May 2018 15:07:18 GMT

Your routing becomes problematic in the design you are attempting with little benefit. In both scenarios you have your data passing over the Internet inside of an IPSec tunnel. In either method you will need to implement a dynamic routing protocol to have an automated method for path selection.

Also keep in mind that when you have the VPN tunnel on the Internal FW, you will need to setup dynamic routing from your core LAN switch to the FW. Otherwise the Firewall will always pass traffic between servers over the VPN tunnel and it won't use the MPLS.

In this example we summarize each site with /16 subnet routes. These are static routes on the LAN-SW and the Servers-FW. This will allow traffic to cross the VPN if we lose the Dynamic MPLS routing.

The LAN-SW's at each site will learn a more specific /24 route for the remote office networks and this will be a more prefferred path. Traffic will normally use the MPLS network from site-to-site.

When your MPLS dynamic routing stops (due to circuit or router failure) these specific routes disapear and the next best path are the /16 static routes.

Also remember that all of your FW rules will need to be built with the new VPN tunnel zone as a source or destination on the Server-FW's at each location.

Re: VPN tunnel to a firewall NOT internet facing

superture — Wed, 16 May 2018 07:58:40 GMT

Thanks!

I'm thinking if I terminate tunnel in the same zone as MPLS on the internal fw and use static route monitor it might work? I realize we could do this much more efficient but that will have to wait for switch refresh I think.

How do I get the tunnel to the internal fw? NAT all the way or PBF maybe?

Re: VPN tunnel to a firewall NOT internet facing

OtakarKlier — Wed, 16 May 2018 13:56:26 GMT

Hello,

If you have a lot of static routing then PDF would be your best bet. That way you set your PBF policy to route your primary way with a monitor and the option to 'Disable' the policy if hte monitor goes down. Then your static routes would be setup to use the backup path. This works great because the PBF policies are used prior to the routes in the virtual router.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps#id1e130c06-0775-45d9-9f96-c416531fdb5f

Hope that helps.

Regards,