VPN for multiple internal subnets?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN for multiple internal subnets?

L2 Linker

Hi

Is it possible to configure the VPN to access different internal subnets?   I mean, our network has a few internal subnets that do not route to each other...  there are users who need to access 192.168.1.x and some who need 192.168.2.x and others 192.168.3.x...

is such a configuration possible?  easy?

also, our PA2020 is currently configured as purely vwire (transparent mode) with a few free network ports...  only ip address on it is for management...

thanks!

- ron

13 REPLIES 13

L4 Transporter

Hi,

You cannot run VPN in VWire mode. You need L3 interface and configure tunnel interface for that.

When you configure VPN, you can leverage virtual router and security policy control how internal users to access those subnets and who will be allowed for the access

Jones

hi Jones

thanks... i gathered as much about requiring L3... but can i retain the vwire config and just activate/plug 1 of the idle network ports and configure that for L3 (multiple ip addresses for the various subnets) and assign that as the termination for the vpn?

for aventail, that's how i configured the ssl vpn...

just thinking out loud and throwing wild ideas out there... hopefully, it's somethng that's possible... 🙂

- ron

Hi,


To answer your question you can have a mix of Vwire and L3 interfaces on the PAN. So you can add a few sub-interface on one of the ports and configure L3 for those sub-interfaces and terminated the VPN on one of the sub-interface. You need to make sure there is reachability from the L3 sub-interface to the remote end VPN peer IP address.

Hope this helps.

Manish

hi Manish

thanks!  just the answer i wanted to hear... 🙂  i assume that the addresses in this L3 interface have to be different/separate from the management ip...

also, i take it that the vpn operates separately from the actual firewall... right?  so, it should have little impact on the actual operations of the firewall...  i mean, i wouldn't want the firewall to suffer because i operate the vpn on it or have to spring for a larger (2050?  or 4xxx?) device to operate both...

again, thanks for the quick response...

- ron

You are correct. The IP address on the L3 inteface needs to be different subnet from the mgmt interface. You should not have an impact on the firewall functionality unless you have a lot of VPN traffic and VPN tunnels. The 2050 will be able to do both Vwire and VPN termination, assuming you are not already at the max limit of the 2050 packet handling.

great!  well, i have the 2020... don't really foresee a lot of vpn traffic... our network is relatively small, under 100 users but 3 internet gateways on the vwire (20mbps & 10mbps dedicated lines and a 1.5mbps ADSL).  sizing of the appliance was done by a PA reseller and they had recommended 500, but we decided to go 2020 instead for potential growth.

would there be any indication/warning signs of overloading of the appliance?  like which cpu should i monitor? management or dataplane?  our management cpu occasionally spikes whenever there are updates...

again, thanks!

- ron

Ron,

I think you will be fine based on the info you provided.

thanks a lot...  now go ahead and try out the config... 🙂

- ron

hi...

something very weird...

my setup: PA2020 with 3 vwires (ports 1&2, 3&4, 5&6) connecting 3 routers (on ports 1, 3, and 5) to the network switch (on ports 2, 4, and 6) and management ip set with 1 internal ip.

i activated 1 of the other spare ports and gave it 2 ip addresses for the vpn.  i can ping both addresses from the LAN but not from any of the routers...  and i can't ping from PA to the routers or any of the additional LAN except the subnet that the management ip is on...

what could i be missing?  route?

thanks!

- ron

Ron,

You have to make sure the Layer 2 path and then Layer 3 reach ability is there between the L3 interface on PAN and the next-hop router. Depending on how many times the packet originating from the PAN L3 interface will traverse the PAN through the L2/Vwire interfaces, you need to ensure there is a policy between the two zones (ingress and egress zone) is present.

Hope this helps.

Thanks

hi

i'm a bit lost here...  i can understand the need to ensure the next hop for traffic but i can't find out where in PANOS to set the rule/policy for L2 traffic

our PA2020 is set in a very very liberal setting with 3 sets of vwires (1, 3, 5 are connected to routers to internet defined as 'unrust'; 2, 4, 6 are connected to internal switch defined as 'trust') and all traffic are allowed both ways with only the threat protection (anti-virus, anti-spyware and vulnerability protection) protecting the traffic...

the next-hop router for the vpn would be on one of the vwires...  i'm guessing that i should define a route from port 12 (where i've defined vpn and connected to the internal switch) to the ingress (untrust)... is this in the virtual router?  but the two L2 zones don't have any ip addresses assigned...

thanks in advance...  i know it's quite a confusing and probably a poor design... just trying to put some convvenient access mechanism into our network...

- ron

Hi Ron,

You need to have at least one L3 interface to anchor the VPN tunnels.  Go ahead and use an available port and plug it in on whatever side of the Vwires that makes the most sense for your design.  The virtual router will be tied to the L3 interface and you should be able to ping from it to the other VPN peer IP.

Cheers,

Kelly

hi Kelly

thanks!

I have defined and activated port 12 as an L3 port with a private ip address in the same subnet as one of our internal networks...  it's plugged into the LAN switch that the "trust" side of the vwire is on...  and this L3 interface (port 12) has been added to the virtual router allong with the tunnel interface...  i can't add any of the vwire or other interfaces into the vrouter though...

i sshed into the PA and tried pinging any of the internal addresses and it doesn't work... but pinging external addresses work (which is connecting through the management ip's network)

probably easier to illustrate my settings:

routerA - 201.126.211.69/26 & 192.168.200.69/24 connected to vwireA on port1 of PA2020

routerB - 201.126.222.69/27 & 192.168.31.1/24 connected to vwireB on port3 of PA20202

routerC - dynamicDSL & 192.168.32.1/24 connected to vwireC on port5 of PA2020

LANSwitch - connected to ports 2,4,6,12 of PA2020

PA2020 port 12 - define L3 with ip 192.168.200.1/24 (and i want to add another internal ip address 192.168.33.247/24 for another internal subnet), assigned to default vr & L3 trust zone

tunnel - no ip address assigned to default vr & L3 trust zone

L3 trust zone - contains only eth12 & tunnel

default vr - contains only eth 12 & tunnel and routes 0.0.0.0/0 to 192.168.200.1

rgds,

- ron

  • 5476 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!