For details on cookie usage on our site, read our Privacy Policy
Trouble with multiple IPsec VPN Tunnel
- LIVEcommunity
- Discussions
- General Topics
- Trouble with multiple IPsec VPN Tunnel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Trouble with multiple IPsec VPN Tunnel
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-30-2020 12:33 AM
Hi all,
I'm a fresh man to paloalto devices and I'm facing a problem.
Site A has a subnet 192.168.100.0/24. Site B has 192.168.40.0/21. Both sites use PA820.
Site A has a IPsec tunnel to Site B. This tunnel is running good.
Now we have a new Site C, 192.168.52.0/24, using a non-paloalto firewall. I can set up a tunnel between B and C , C can access B now.
The topology looks like below.
Site A =========site B ========= site C
For some reasons, I cannot set up a tunnel between A and C. But our business requires C to access A.
My question is, is there any solution that can use PA820 at site B to allow access from C to A?
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-02-2020 11:59 PM
Hey @mercurr ,
The proper way would be to make the change all devices. Reason for that is simple - IPsec needs to know which networks are "allowed" to pass through the vpn tunnel. It doesn't have anything to do with Palo Alto, it just how the protocol works. So there is no way to send traffic in the tunnel if it is not defined. In addition how do you expect siteA to know where to route the traffic for siteC, if you don't do any change there?
The only way to workaround for this would to use NAT, but this will only work if you don't really use the full /24 network at siteB. If on siteB you are using /24 (which is already in the remote proxy ID for siteA), but in reallity you have some free IP addresses, you can NAT those 30 addresses to 30 address at siteC. Let say:
- you have 192.168.20.0/24 at siteB, the IP range 192.168.20.200-250 is actually free (no host are using any of these IPs)
- you have 192.168.30.0/24 at siteC
- on siteB you can configure NAT - when source is siteA network to range 192.168.20.200-250, translate destination ip to 192.168.30.200-250.
- If you don't NAT the source ip, you still need to add siteA network to the vpn tunnel between siteB and siteC.
The above example is using IP range, but you can use single IP NAT rules.
The main problem with this workaround is that it doesn't scale well if you need lots of host to communicate between sites A and C. It can easily become quite a mess, you I would strongly recommend to reconsider making changes on siteA. I guess you want to avoid contacting the team/person responsible for configuring this device, but I would prefer to have such conversation and keeping my environment nice and tidy.
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-03-2020 12:37 AM
As you don't want to make changes at Site A, you can use NAT to access Site A from C.
You need to create both source and destination NAT rules translating IPs in Subnets A and C to Subnet B at Site B.
Example:
Site A - 192.168.100.0/24
Site B - 192.168.40.0/21
Site C - 192.168.52.0/24
As the traffic is initiated from C.
Site C Site B
Source:192.168.52.1 (Subnet C) Source:192.168.41.1 (Subnet B)
Destination:192.168.40.1 (Subnet B) Destination:192.168.100.1 (Subnet A)
It does not need any changes in the tunnel configuration. If you don't have enough free IPs at site B, use Dynamic IP and Port translation.
- PA-220 Slow Response time connecting over ipsec tunnel to AWS. in General Topics
- Can you configure multiple prisma access tunnel end points? in Prisma Access Discussions
- Multiple IPSec tunnels on one public IP on AWS in VM-Series in the Public Cloud
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
- Global Protect Satellite over 2 ISP's in Next-Generation Firewall Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
