VPN port and default port the same?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN port and default port the same?

L2 Linker

Hallo all,

i have only one phyical ethernet interface on firewall which is facing the internet. I also want to make this PA firewall as an IPSEC Tunnel endpoint. So all my internal traffic uses this ethernet interface to go to internet. And VPN traffic should terminate on the same interface.

Is this possible? If yes, how can I implement it? Any documentation or procedures?

Thanks a lot!

1 accepted solution

Accepted Solutions

Hello Amit,

For the most part this is typically how most of the users will be using, ie 1 public ip and many services like outbound NAT, IPSec, GlobalProtect, Remote access etc. So this will work.

For outbound traffic, you will need the following:

-outbound NAT, translate source to the public IP

-appropriate static routes to default gateway as discussed earlier.

-security rules

For IPSec, you may follow this document:

How to Configure IPSEC VPN

Regards,

Dileep

View solution in original post

7 REPLIES 7

L7 Applicator

Hello Amit,

I hope you are using this PAN firewall only to scan traffic. If so, you can implement above mentioned setup. You have to configure different route for both physical interface and through the VPN tunnel.

For example:

>>>>> For all internet traffic through physical interface : Destination 0.0.0.0 - next hop ISP ipaddress ( next hop)

>>>>> For VPN traffic : Destination : source subnet behind IPSec tunnel , interface- tunnel.xx, next hop- None

Hope this helps and let us know the result.

Thanks

L2 Linker

Hi Hulk

Ok I will try it out and let you know.

Also, in the VR, I should always mention either the Interface or the Next Hop, but not both, right?

L6 Presenter

Yes, you can use single ethernet interface towards internet for all functionality: user access to web, IPSEC VPN termination, GlobalProtect portal and gateway, external management of firewall (in that case mgmt port changes to 4443)..

L6 Presenter

Hi Amit,

You can achieve this through static route. You need to create two sort of static route.

1. Default route pointing towards ISP ethernet interface.

2. Set of static routes Pointing towards tunnel interace. But for that make sure those routes exist in Proxy IDs of IPsec tunnel.

Let me know if this helps.

Regards,

Hardik Shah

Hello Amit,

In the VR, you may select both "interface" and "next-hop" at the same time in static route configuration. But, in common scenario,if IPSec tunnel is not configured with an IP, hence you may only select "interface" [ Outgoing interface] option.

Thanks

Hi Amit,

For any static route next hop is required just like another vendors.

But for static routes for tunnel, you can skip next hope.  You can select it as none.

Many customers doesnt configure IP on Tunnel, hence they can just point route to tunnel and skip the next hop.

Tunnel.png

However if tunnel has IP address you can configure it, but its optional. Not a mandatory thing.

Regards,

Hardik Shah

Hello Amit,

For the most part this is typically how most of the users will be using, ie 1 public ip and many services like outbound NAT, IPSec, GlobalProtect, Remote access etc. So this will work.

For outbound traffic, you will need the following:

-outbound NAT, translate source to the public IP

-appropriate static routes to default gateway as discussed earlier.

-security rules

For IPSec, you may follow this document:

How to Configure IPSEC VPN

Regards,

Dileep

  • 1 accepted solution
  • 3826 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!