12-02-2020 04:52 PM
Hello,
I am looking at setting up a remote access VPN on a PA220. The idea, however, is that the user would have concurrent access to a server at the PA220's site as well as servers at another site, that the PA220 has a IPSEC VPN with.
Here is a diagram:
In case this isn't clear.... the WAN interface of the PA220 would service both the remote access vpn and the ipsec site-to-site vpn.
I am assuming that the vpn client's ip address would have to be in the scope of the VPN configuration. And some NAT exceptions in place.
Questions...
1). Is this possible?
2). What is this called? (hopefully I can use that to find a configuration guide).
3). Does this require a specific license?
Any other tips / issues / caveats to be aware of?
Thanks!
12-03-2020 09:07 AM - edited 12-03-2020 09:09 AM
Hi @nwnetadmin ,
Below are my answers to your questions -
1). Is this possible? –
Yes, it is possible.
2). What is this called? (hopefully I can use that to find a configuration guide). –
This is normal configuration I can say and do not have a specific name to such topology.
For this,
a. You need to route & allow both the servers (server at PA220’s site and server available on IPSEC) through remote VPN.
b. You need to make sure Remote VPN client pool should be routable through the IPSEC VPN to get access to other end server from remote VPN.
c. If not possible to allow remote VPN client pool via IPSEC, then you need to do source NAT on the PA220 firewall and NAT all the traffic coming from Remote VPN Pool with one of the IP from the IPSEC encryption domain then send it to the tunnel. (I guess you have already mentioned point b & c in your post).
d. You need to have appropriate security policies and NAT (as given above) to established the connectivity.
3). Does this require a specific license? –
For such topology, does not require any special license.
Hope it helps!
Mayur
12-03-2020 09:07 AM - edited 12-03-2020 09:09 AM
Hi @nwnetadmin ,
Below are my answers to your questions -
1). Is this possible? –
Yes, it is possible.
2). What is this called? (hopefully I can use that to find a configuration guide). –
This is normal configuration I can say and do not have a specific name to such topology.
For this,
a. You need to route & allow both the servers (server at PA220’s site and server available on IPSEC) through remote VPN.
b. You need to make sure Remote VPN client pool should be routable through the IPSEC VPN to get access to other end server from remote VPN.
c. If not possible to allow remote VPN client pool via IPSEC, then you need to do source NAT on the PA220 firewall and NAT all the traffic coming from Remote VPN Pool with one of the IP from the IPSEC encryption domain then send it to the tunnel. (I guess you have already mentioned point b & c in your post).
d. You need to have appropriate security policies and NAT (as given above) to established the connectivity.
3). Does this require a specific license? –
For such topology, does not require any special license.
Hope it helps!
Mayur
12-09-2020 08:26 PM
Hard to provide suggestions with out knowing your environment.
What's your current infastructure like?
-Make/model of current firewall?
-Are you currently running a windows active directory?
-What is your ISP? Is it fiber/cable and what speed do you currently have are they dedicated or best effort?
Have you taken a look at your current bandwidth utilization are you spiking or near capacity?
How many users do you expect need this VPN access?
What applications are your remote users going to be using over this vpn?
What kind of bandwidth are you expecting per vpn user to be using?
Whats the budget for this project?
12-10-2020 07:08 AM
Octavia,
Thanks for the reply and your interest in the post.
I wasn't really looking for a detailed analysis, just confirmation that the concept is viable. I will work through the details.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
