VPN between 3 sites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN between 3 sites

L1 Bithead

VPN Site to Site

I have communication between site A and site B or site A and Site C, but I have not communication between B y C through A
Site A (headquarters )
Site B (Windows Azure)
Site C (Bank)
The required communication is the site B to contact C through A.

Can you help me please

1 accepted solution

Accepted Solutions

I have a VPN between site "B" and site "A" and and it is working properly
I have a VPN between site "C" and site "A" and and it is working properly

The problem was that when you send a ping site "B" to site "C" trough site A it did not responded to this

your comments helped me solve the problem.
I share the details of the solution
Thank you

Site B
Firewall Juniper SSG5
LAN: 192.168.51.0/24


Site C
Firewall: PA200
LAN: 192.168.20.0/20

site A
Firewall: PA 3020
172.16.16.0/20

Routing B
set route 172.16.16.0/20 interface tunnel.1
set route 192.168.20.0/24 interface tunnel.1

Policies B
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "172.16.16.0/20" "ANY"
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "192.168.20.0/24" "ANY"

set policy id 4 from "Untrust" to "Trust" "172.16.16.0/20" "192.168.51.0/20" "ANY"
set policy id 4 from "Untrust" to "Trust" "192.168.20.0" "192.168.51.0/20" "ANY"

Routing C

destination nexthop metric flags age interface next-AS
172.16.16.0/20 0.0.0.0 10 A S tunnel.1
192.168.51.0/24 0.0.0.0 10 A S tunnel.1

Policies C

Site A and B TO site C {
from Untrust;
source [ 172.16.16.0/20 192.168.51.0/24 ];
source-region none;
to Trust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;

Routing A

destination nexthop metric flags age interface next-AS
192.168.51.0/24 0.0.0.0 10 A S tunnel.6
192.168.20.0/24 0.0.0.0 10 A S tunnel.7

Policies A

Site B-Site C {
from untrust;
source 192.168.51.0/24;
source-region none;
to untrust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}


Site B-Site A {
from untrust;
source 192.168.51.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Site C- Site A {
from untrust;
source 192.168.20.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi Javier

 

could you elaborate on what exactly you need assistance ? 

did you try setting up a specific configuration which didn't work or are you wondering if it is conceptually possible ?

 

you can use siteA as a hub by making sure each remote site has routes for the other remote site's subnet pointing at the tunnel interface, and possibly have matching proxyIDs so each site knows it needs to put traffic destined for the other site into the HQ tunnel, then simply set security policies on the HQ site to allow the traffic

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I m sorry  accept the solution by mistake

 

Give me 30 minutes to send more details

 

Thank you

 

 

 

 

I have a VPN between site "B" and site "A" and and it is working properly
I have a VPN between site "C" and site "A" and and it is working properly

The problem was that when you send a ping site "B" to site "C" trough site A it did not responded to this

your comments helped me solve the problem.
I share the details of the solution
Thank you

Site B
Firewall Juniper SSG5
LAN: 192.168.51.0/24


Site C
Firewall: PA200
LAN: 192.168.20.0/20

site A
Firewall: PA 3020
172.16.16.0/20

Routing B
set route 172.16.16.0/20 interface tunnel.1
set route 192.168.20.0/24 interface tunnel.1

Policies B
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "172.16.16.0/20" "ANY"
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "192.168.20.0/24" "ANY"

set policy id 4 from "Untrust" to "Trust" "172.16.16.0/20" "192.168.51.0/20" "ANY"
set policy id 4 from "Untrust" to "Trust" "192.168.20.0" "192.168.51.0/20" "ANY"

Routing C

destination nexthop metric flags age interface next-AS
172.16.16.0/20 0.0.0.0 10 A S tunnel.1
192.168.51.0/24 0.0.0.0 10 A S tunnel.1

Policies C

Site A and B TO site C {
from Untrust;
source [ 172.16.16.0/20 192.168.51.0/24 ];
source-region none;
to Trust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;

Routing A

destination nexthop metric flags age interface next-AS
192.168.51.0/24 0.0.0.0 10 A S tunnel.6
192.168.20.0/24 0.0.0.0 10 A S tunnel.7

Policies A

Site B-Site C {
from untrust;
source 192.168.51.0/24;
source-region none;
to untrust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}


Site B-Site A {
from untrust;
source 192.168.51.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Site C- Site A {
from untrust;
source 192.168.20.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

Is your issue solved?  If not:

 

From what you list here, it looks like the VPN from B will not allow traffic with an ip address of C to enter the tunnel and the same seems to be the case in reverse.  Your tunnels only seem to capture traffic for the A subnet to these sites.

 

There would be two basic options:

 

1-add the missing subnet to both tunnels (proxy-id pairs) so that traffic will be accepted by the tunnels and forwarded through both.  This requries changes to all three VPN setups.

 

2-NAT the traffic between B and C.  On the side where the sesssion is initiated NAT the destination to an available address at site A.  On site A NAT this address back to the original for the site and forward it on to the existing tunnel.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 3013 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!