Site to site VPN terminating in DMZ possible?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to site VPN terminating in DMZ possible?

L1 Bithead

Is it possible to setup a site to site VPN and have it terminate on the DMZ interface rather than the WAN interface? We have numerous remote locations that are running small sonicwall firewalls and connecting back to our corporate site. They currently terminate on a Sonicwall, but we are migrating over to a Palo Alto unit. The reason for terminating in the DMZ is that we'd like to be able to use redundant WAN connections with BGP routing. This way if one of the ISPs goes down, the VPN will still be accessible through the other ISP.

Any docs on how to do this? I couldn't locate any.




L6 Presenter

I would like some info on this issue as well. I've tried terminating VPN on the DMZ interface with public IP address and it didn't work. VPN tunnel was established quickly and without any problems. But I couldn't get any traffic through it. What was even more confusing I couldn't find any log entries about encrypted traffic at all! I have a default drop rule in the end which logs everything, yet I still didn't get any log entries. I used the packet capturing feature and I could see packets logged in received stage, but not at firewall or transmitted stage.

When I gave up debugging the mentioned situation I've terminated VPN tunnel on WAN interface (with same settings) and everything worked imeediatelly.

Any official info about this?

Shouldnt it work if you setup a loopback interface out of your PI range (or whatever you use for BGP announcement) and configure your VPN to use this loopback interface?

In my current situation i don't have PI and BGP. But it is something customer is looking into for the near future so any input on this would be welcome too.

I just wanted to terminate VPN in public DMZ but failed to get any actual traffic through VPN despite VPN going up without any problems.

This should work before you get BGP aswell, just use an ip out of your public range as loopback.

Then when you configure the tunnel you set it to zone DMZ - this way you wont need any security rules for traffic going to the DMZ servers (because the tunnel and the server will be on the same zone).

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!