topic DMVPN router traffic through DMZ to trusted LAN in General Topics https://live.paloaltonetworks.com/t5/general-topics/dmvpn-router-traffic-through-dmz-to-trusted-lan/m-p/231067#M66347 <P>We are setting up DMVPN routers for on-demand VPNs from our remote sites to HQ.&nbsp; our DMVPN routers have the front end exposed to internet and the back end is on our special DMVPN DMZ.&nbsp; When the VPN is built from the remote site traffic from the site comes into the DMZ and needs to be routed through the PA (5050) to the trusted interface (HQ LAN SEGMENT).&nbsp; &nbsp;The traffic is being blocked by policy and when I tried to put in a policy I get a L3 error. It think its because the traffic from the site is not part of the DMVPN ZONE.&nbsp; &nbsp;The DMVPN zone is 192.55.XXX.XXX but the traffic going through is on the 10.XXX.XXX.XXX network.&nbsp; Since the traffic being passed is not part of the ZONE I think that is causing the L3 error/message.</P><P>&nbsp;</P><P>Any suggestions would be appreciated.&nbsp; (We wanted to use the DMZ approach so the traffic could be controlled, blocked, and scanned as required.)</P> Mon, 17 Sep 2018 13:58:56 GMT tim_cahoon 2018-09-17T13:58:56Z DMVPN router traffic through DMZ to trusted LAN https://live.paloaltonetworks.com/t5/general-topics/dmvpn-router-traffic-through-dmz-to-trusted-lan/m-p/231067#M66347 <P>We are setting up DMVPN routers for on-demand VPNs from our remote sites to HQ.&nbsp; our DMVPN routers have the front end exposed to internet and the back end is on our special DMVPN DMZ.&nbsp; When the VPN is built from the remote site traffic from the site comes into the DMZ and needs to be routed through the PA (5050) to the trusted interface (HQ LAN SEGMENT).&nbsp; &nbsp;The traffic is being blocked by policy and when I tried to put in a policy I get a L3 error. It think its because the traffic from the site is not part of the DMVPN ZONE.&nbsp; &nbsp;The DMVPN zone is 192.55.XXX.XXX but the traffic going through is on the 10.XXX.XXX.XXX network.&nbsp; Since the traffic being passed is not part of the ZONE I think that is causing the L3 error/message.</P><P>&nbsp;</P><P>Any suggestions would be appreciated.&nbsp; (We wanted to use the DMZ approach so the traffic could be controlled, blocked, and scanned as required.)</P> Mon, 17 Sep 2018 13:58:56 GMT https://live.paloaltonetworks.com/t5/general-topics/dmvpn-router-traffic-through-dmz-to-trusted-lan/m-p/231067#M66347 tim_cahoon 2018-09-17T13:58:56Z Re: DMVPN router traffic through DMZ to trusted LAN https://live.paloaltonetworks.com/t5/general-topics/dmvpn-router-traffic-through-dmz-to-trusted-lan/m-p/231143#M66363 <P>Hello,</P><P>I used to have a similar setup and we changed to just use the PAN's VPN and dynamic routing, OSPF, with costs so the VP would only be chosen if hte primary link went down. However from your description, I would say its possibly a routing issues? The PAN might not know where to rout the 192 network or there is no secondary path to/from the remote office on the PAN?</P><P>&nbsp;</P><P>Please let me know if I didnt understand your question.</P><P>&nbsp;</P><P>Regards,</P> Mon, 17 Sep 2018 20:50:46 GMT https://live.paloaltonetworks.com/t5/general-topics/dmvpn-router-traffic-through-dmz-to-trusted-lan/m-p/231143#M66363 OtakarKlier 2018-09-17T20:50:46Z