VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN - PA to PA - need internet traffic to go through additional device one hop inside PA

L1 Bithead

Remote site has a PA-200

HQ has a PA-2020.

I have the VPN setup between the two so that they are connected to each other.

   I need the internet traffic from the remote site to pass through our content filter that is connected to the PA-2020 at the HQ.

            the content filter is not seen by any devices, it is transparent to all devices

Traffic flow from a laptop at the remote site to the internet would look like this:

Laptop --> PA-200 -----VPN---->  PA-2020 (HQ) ----> content filter (transparent) ---->  HQ core switch   ------>   content filter (transparent)  ---->   PA-2020 (HQ) ----> internet

Does that make sense?

                                                                                                                    

Thanks for any assistance.

Matt

6 REPLIES 6

L7 Applicator

Hello Matt,

It looks good to me. Since, traffic traversing through PAN firewall twice, we may need to perform a source NAT for this traffic at HQ core switch. A source NAT with ensuring the symmetric return of the traffic through the HQ core switch.

Network-diagram.jpg

As per my understanding, your traffic is flowing like above mentioned diagram. The green line is for return traffic from internet. So, only a source NAT in your HQ core switch can ensure the return traffic to go back to HQ core through content filter. Otherwise, if you perform NAT on PAN firewall, return traffic will not travese through HQ core and content filter, since PAN firewall will identify the direct route to reach remote user's subnet through VPN tunnel.

Hope this helps.

Thanks

Thanks.

The internet traffic is not hitting the core switch, only the internal traffic.   

     Do I need to adjust my route table on the remove VPN to direct traffic to the core switch ip instead of the PA-2020?

         I am going to try this to see what it does...but I don't think it will work.

What if I had another device on the other side of the core switch?

     a vpn concentrator, or even another PA box.

Would it be possible to simply NAT (bi-directional)  the VPN traffic from public ip on PA-2020 to internal ip of other device?

      remote site PA-200 public ip ---->   PA-2020 public IP ---->   (NAT) -----> PA-200 internal ip 

             then, internet traffic would go out via the core, pass through the content filter, and then back in...

Thanks again.

matt

or...

   how do I setup the PA200 split traffic...

       internal, 10.x.x.x via the VPN

       internet, 0.0.0.0 except 10.x, via the internet connection?

tried two routes, but they didn't split the traffic, everything still going over the vpn...unless I didn't get the right combination of interface/route/next hop/etc.

You need to configure a specific route through VPN tunnel ( based on destination) and a default route for all internet traffic. The PAN firewall will search for a longer match first ( through the tinnel).

Thanks

I was able to get this to work, the traffic split between VPN and local internet access...realized I was using the wrong next hop address for my internet traffic

Thank for the update. Smiley Happy

  • 3432 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!