VPN tunnel to a firewall NOT internet facing


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L2 Linker

VPN tunnel to a firewall NOT internet facing



I have a scenario with two sites which has two sets (HA) of firewalls, external and internal. So external handles everything internet and behind the internal the datacenter resides. Clients are in between.


We have MPLS between the sites which terminate in the internal firewall.


Now we want to setup site-to-site vpn as a backup for MPLS failure. Since there is a lot of routing in place we would like the tunnels to terminate in the internal firewalls.


How would you setup this? :)


NAT, PBF, etc...




L3 Networker

You would normally have a dynamic routing protocol setup to allow traffic from one site to another via your MPLS network.  Then you can easily use your default route to send traffic to the Internet firewall for your backup VPN tunnel.


This is an example of how a network would likely be setup to serve the function you describe.  When the MPLS goes down, you lose the dynamic routes and the VPN kicks in.


Supertures Super Network.png

L2 Linker

Haha looks great!


But... suppose we have a lot of static routing and really want to terminate tunnel on the internal firewalls?

L3 Networker

Your routing becomes problematic in the design you are attempting with little benefit.  In both scenarios you have your data passing over the Internet inside of an IPSec tunnel.  In either method you will need to implement a dynamic routing protocol to have an automated method for path selection.  


Also keep in mind that when you have the VPN tunnel on the Internal FW, you will need to setup dynamic routing from your core LAN switch to the FW.  Otherwise the Firewall will always pass traffic between servers over the VPN tunnel and it won't use the MPLS.


Supertures Super Network 2.pngIn this example we summarize each site with /16 subnet routes.  These are static routes on the LAN-SW and the Servers-FW.  This will allow traffic to cross the VPN if we lose the Dynamic MPLS routing.


The LAN-SW's at each site will learn a more specific /24 route for the remote office networks and this will be a more prefferred path.  Traffic will normally use the MPLS network from site-to-site.


When your MPLS dynamic routing stops (due to circuit or router failure) these specific routes disapear and the next best path are the /16 static routes.


Also remember that all of your FW rules will need to be built with the new VPN tunnel zone as a source or destination on the Server-FW's at each location.

L2 Linker



I'm thinking if I terminate tunnel in the same zone as MPLS on the internal fw and use static route monitor it might work? I realize we could do this much more efficient but that will have to wait for switch refresh I think.


How do I get the tunnel to the internal fw? NAT all the way or PBF maybe?

Cyber Elite


If you have a lot of static routing then PDF would be your best bet. That way you set your PBF policy to route your primary way with a monitor and the option to 'Disable' the policy if hte monitor goes down. Then your static routes would be setup to use the backup path. This works great because the PBF policies are used prior to the routes in the virtual router.




Hope that helps.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!