routing forwarding

L2 Linker

routing forwarding

hey guys
If there is a site-to-site VPN between the FWs and I want to force some specific internet access traffic to go through this VPN, is it possible?
Can I just add static routing on FW to force the specified traffic to the VPN tunnel?
Do we need some config for the traffic which coming back?
L7 Applicator

There are a few considerations in getting this to work.  You will need to consider both tunnel directions for the traffic routing and make sure the routes installed on both sides do what you wish and that the vpn itself will accept the traffic.


On the routing, the question will be what direction is the traffic initiated.  Are you taking a public address on side A and forwarding requests to this address to a server on site B.  Or are you taking outbound traffic from site B and forwarding this to use the ISP outbound on site A.  For both cases you need to expand the policies inplace at site A and B to allow the traffic flow in the correct direction of initiation of session.


For inbound traffic site A to site B you can set a normal fowarding rule to the address on the existing VPN. 

Then add a source nat rule to an address on site A already covered in the VPN.  This won't require any VPN changes and the return traffic will work using the existing tunnel as is.


For the second case you would need to make sure the outbound web addresses on site B point to the tunnel interface of  a route based VPN.

You should use the open proxy-id on this vpn if at all possible.  If not the proxy-id pairs need to expand to include these public addresses as part of the tunnel.

On site A you will need to be sure the outbound source nat rule will cover the address range coming from site B going out that ISP.


Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L2 Linker

hey @pulukas


Appreciate for your reply.


The real case is, when site A users want to access some dedicated websites. we want this traffic goes to siteB via the VPN between A and B and goes out from site B ISP, as we got poor performance while accessing such websites directly from site A.





Cyber Elite


If you want all traffic to go though the one site, then just put in a static route. Make sure you leave the specific routes for your ISP.


i.e. PAN site A:

specific route for your isp, so the pan can get to the gateway so the VPN stays up.

then with next hop the tunnel.


PAN site B:

have a route for the site A subnets to next hop the tunnel.


I prefer to use OSPF so that any changes are propgated automatically. However if you only have the two sites, statics will work just fine.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!