Remote Access through IPSEC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Remote Access through IPSEC

L1 Bithead

Hello,

I am looking at setting up a remote access VPN on a PA220. The idea, however, is that the user would have concurrent access to a server at the PA220's site as well as servers at another site, that the PA220 has a IPSEC VPN with.

 

Here is a diagram:

 

nwnetadmin_0-1606956535595.png

 

In case this isn't clear.... the WAN interface of the PA220 would service both the remote access vpn and the ipsec site-to-site vpn.

 

I am assuming that the vpn client's ip address would have to be in the scope of the VPN configuration. And some NAT exceptions in place.

 

Questions...

1). Is this possible?

2). What is this called? (hopefully I can use that to find a configuration guide).

3). Does this require a specific license?

 

Any other tips / issues / caveats to be aware of?

 

Thanks!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @nwnetadmin ,

 

Below are my answers to your questions -

 

1). Is this possible? –

Yes, it is possible.

 

2). What is this called? (hopefully I can use that to find a configuration guide). –

This is normal configuration I can say and do not have a specific name to such topology.

For this,

 

a. You need to route & allow both the servers (server at PA220’s site and server available on IPSEC) through remote VPN.

 

b. You need to make sure Remote VPN client pool should be routable through the IPSEC VPN to get access to other end server from remote VPN.

 

c. If not possible to allow remote VPN client pool via IPSEC, then you need to do source NAT on the PA220 firewall and NAT all the traffic coming from Remote VPN Pool with one of the IP from the IPSEC encryption domain then send it to the tunnel. (I guess you have already mentioned point b & c in your post).

 

d. You need to have appropriate security policies and NAT (as given above) to established the connectivity.

 

3). Does this require a specific license? –

For such topology, does not require any special license.

 

Hope it helps!

Mayur

M

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @nwnetadmin ,

 

Below are my answers to your questions -

 

1). Is this possible? –

Yes, it is possible.

 

2). What is this called? (hopefully I can use that to find a configuration guide). –

This is normal configuration I can say and do not have a specific name to such topology.

For this,

 

a. You need to route & allow both the servers (server at PA220’s site and server available on IPSEC) through remote VPN.

 

b. You need to make sure Remote VPN client pool should be routable through the IPSEC VPN to get access to other end server from remote VPN.

 

c. If not possible to allow remote VPN client pool via IPSEC, then you need to do source NAT on the PA220 firewall and NAT all the traffic coming from Remote VPN Pool with one of the IP from the IPSEC encryption domain then send it to the tunnel. (I guess you have already mentioned point b & c in your post).

 

d. You need to have appropriate security policies and NAT (as given above) to established the connectivity.

 

3). Does this require a specific license? –

For such topology, does not require any special license.

 

Hope it helps!

Mayur

M

L0 Member

Hard to provide suggestions with out knowing your environment.

What's your current infastructure like?

-Make/model of current firewall?

-Are you currently running a windows active directory?

-What is your ISP? Is it fiber/cable and what speed do you currently have are they dedicated or best effort?

Have you taken a look at your current bandwidth utilization are you spiking or near capacity?

How many users do you expect need this VPN access?

What applications are your remote users going to be using over this vpn?

What kind of bandwidth are you expecting per vpn user to be using?

Whats the budget for this project?

Octavia,

Thanks for the reply and your interest in the post.

 

I wasn't really looking for a detailed analysis, just confirmation that the concept is viable. I will work through the details.

L0 Member
  • 1 accepted solution
  • 3482 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!