12-16-2018 08:50 PM
12-17-2018 04:06 AM
There are a few considerations in getting this to work. You will need to consider both tunnel directions for the traffic routing and make sure the routes installed on both sides do what you wish and that the vpn itself will accept the traffic.
On the routing, the question will be what direction is the traffic initiated. Are you taking a public address on side A and forwarding requests to this address to a server on site B. Or are you taking outbound traffic from site B and forwarding this to use the ISP outbound on site A. For both cases you need to expand the policies inplace at site A and B to allow the traffic flow in the correct direction of initiation of session.
For inbound traffic site A to site B you can set a normal fowarding rule to the address on the existing VPN.
Then add a source nat rule to an address on site A already covered in the VPN. This won't require any VPN changes and the return traffic will work using the existing tunnel as is.
For the second case you would need to make sure the outbound web addresses on site B point to the tunnel interface of a route based VPN.
You should use the open proxy-id on this vpn if at all possible. If not the proxy-id pairs need to expand to include these public addresses as part of the tunnel.
On site A you will need to be sure the outbound source nat rule will cover the address range coming from site B going out that ISP.
12-17-2018 06:35 PM
hey @pulukas
Appreciate for your reply.
The real case is, when site A users want to access some dedicated websites. we want this traffic goes to siteB via the VPN between A and B and goes out from site B ISP, as we got poor performance while accessing such websites directly from site A.
thanks
12-18-2018 08:57 AM
Hello,
If you want all traffic to go though the one site, then just put in a static route. Make sure you leave the specific routes for your ISP.
i.e. PAN site A:
specific route for your isp, so the pan can get to the gateway so the VPN stays up.
then 0.0.0.0/0 with next hop the tunnel.
PAN site B:
have a route for the site A subnets to next hop the tunnel.
I prefer to use OSPF so that any changes are propgated automatically. However if you only have the two sites, statics will work just fine.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
