topic Re: routing forwarding in General Topics

routing forwarding

qd_056 — Mon, 17 Dec 2018 04:50:10 GMT

hey guys

If there is a site-to-site VPN between the FWs and I want to force some specific internet access traffic to go through this VPN, is it possible?

Can I just add static routing on FW to force the specified traffic to the VPN tunnel?

Do we need some config for the traffic which coming back?

Thanks

Re: routing forwarding

pulukas — Mon, 17 Dec 2018 12:06:11 GMT

There are a few considerations in getting this to work. You will need to consider both tunnel directions for the traffic routing and make sure the routes installed on both sides do what you wish and that the vpn itself will accept the traffic.

On the routing, the question will be what direction is the traffic initiated. Are you taking a public address on side A and forwarding requests to this address to a server on site B. Or are you taking outbound traffic from site B and forwarding this to use the ISP outbound on site A. For both cases you need to expand the policies inplace at site A and B to allow the traffic flow in the correct direction of initiation of session.

For inbound traffic site A to site B you can set a normal fowarding rule to the address on the existing VPN.

Then add a source nat rule to an address on site A already covered in the VPN. This won't require any VPN changes and the return traffic will work using the existing tunnel as is.

For the second case you would need to make sure the outbound web addresses on site B point to the tunnel interface of a route based VPN.

You should use the open proxy-id on this vpn if at all possible. If not the proxy-id pairs need to expand to include these public addresses as part of the tunnel.

On site A you will need to be sure the outbound source nat rule will cover the address range coming from site B going out that ISP.

Re: routing forwarding

qd_056 — Tue, 18 Dec 2018 02:35:51 GMT

hey @pulukas

Appreciate for your reply.

The real case is, when site A users want to access some dedicated websites. we want this traffic goes to siteB via the VPN between A and B and goes out from site B ISP, as we got poor performance while accessing such websites directly from site A.

thanks

Re: routing forwarding

OtakarKlier — Tue, 18 Dec 2018 16:57:14 GMT

Hello,

If you want all traffic to go though the one site, then just put in a static route. Make sure you leave the specific routes for your ISP.

i.e. PAN site A:

specific route for your isp, so the pan can get to the gateway so the VPN stays up.

then 0.0.0.0/0 with next hop the tunnel.

PAN site B:

have a route for the site A subnets to next hop the tunnel.

I prefer to use OSPF so that any changes are propgated automatically. However if you only have the two sites, statics will work just fine.

Regards,