VPN for multiple internal subnets?

Showing results for 
Search instead for 
Did you mean: 

VPN for multiple internal subnets?

L1 Bithead


Is it possible to configure the VPN to access different internal subnets?   I mean, our network has a few internal subnets that do not route to each other...  there are users who need to access 192.168.1.x and some who need 192.168.2.x and others 192.168.3.x...

is such a configuration possible?  easy?

also, our PA2020 is currently configured as purely vwire (transparent mode) with a few free network ports...  only ip address on it is for management...


- ron


L4 Transporter


You cannot run VPN in VWire mode. You need L3 interface and configure tunnel interface for that.

When you configure VPN, you can leverage virtual router and security policy control how internal users to access those subnets and who will be allowed for the access


hi Jones

thanks... i gathered as much about requiring L3... but can i retain the vwire config and just activate/plug 1 of the idle network ports and configure that for L3 (multiple ip addresses for the various subnets) and assign that as the termination for the vpn?

for aventail, that's how i configured the ssl vpn...

just thinking out loud and throwing wild ideas out there... hopefully, it's somethng that's possible... 🙂

- ron


To answer your question you can have a mix of Vwire and L3 interfaces on the PAN. So you can add a few sub-interface on one of the ports and configure L3 for those sub-interfaces and terminated the VPN on one of the sub-interface. You need to make sure there is reachability from the L3 sub-interface to the remote end VPN peer IP address.

Hope this helps.


hi Manish

thanks!  just the answer i wanted to hear... 🙂  i assume that the addresses in this L3 interface have to be different/separate from the management ip...

also, i take it that the vpn operates separately from the actual firewall... right?  so, it should have little impact on the actual operations of the firewall...  i mean, i wouldn't want the firewall to suffer because i operate the vpn on it or have to spring for a larger (2050?  or 4xxx?) device to operate both...

again, thanks for the quick response...

- ron

You are correct. The IP address on the L3 inteface needs to be different subnet from the mgmt interface. You should not have an impact on the firewall functionality unless you have a lot of VPN traffic and VPN tunnels. The 2050 will be able to do both Vwire and VPN termination, assuming you are not already at the max limit of the 2050 packet handling.

great!  well, i have the 2020... don't really foresee a lot of vpn traffic... our network is relatively small, under 100 users but 3 internet gateways on the vwire (20mbps & 10mbps dedicated lines and a 1.5mbps ADSL).  sizing of the appliance was done by a PA reseller and they had recommended 500, but we decided to go 2020 instead for potential growth.

would there be any indication/warning signs of overloading of the appliance?  like which cpu should i monitor? management or dataplane?  our management cpu occasionally spikes whenever there are updates...

again, thanks!

- ron


I think you will be fine based on the info you provided.

thanks a lot...  now go ahead and try out the config... 🙂

- ron


something very weird...

my setup: PA2020 with 3 vwires (ports 1&2, 3&4, 5&6) connecting 3 routers (on ports 1, 3, and 5) to the network switch (on ports 2, 4, and 6) and management ip set with 1 internal ip.

i activated 1 of the other spare ports and gave it 2 ip addresses for the vpn.  i can ping both addresses from the LAN but not from any of the routers...  and i can't ping from PA to the routers or any of the additional LAN except the subnet that the management ip is on...

what could i be missing?  route?


- ron

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!