About Pawel_G

Hello,   Simple fix for this is by creating a NAT rule Nat from Spoke1 to Spoke2 - Source Zone - Tunnel Interface Spoke1 Source IP Address - 192.168.100.0/24 Destination Zone  - Tunnel Interface Spoke2 Destination Address - 172.16.200.0/24 Source Translation - Dynamic IP and Port Translated IP - 172.16.200.100   I hope this will help     ... View more

Hey   Primary VR will have all connections This is just example ETH1 - Untrust 32.32.32.108/29   Primary VR ETH2 - Trust     10.10.0.1/24         Primary VR ETH3 - DMZ     10.254.1.1/24       Primary VR ETH4 - DMZ2   10.254.2.1/24       Primary VR ETH5 - Untrust 33.33.33.108/29   Secondary VR   Lets say that you have Global Protect Users using 10.1.1.1-10.1.1.1.254 on Gateway 1 and GP users using 10.1.2.1-10.1.2.254 on Gateway 2. You will need route from Secondary VR to Trust 10.10.0.0/24, 10.254.1.0/24 10.254.2.0/24  and 10.1.1.0/24 Primary VR 1 Default route - 0.0.0.0/0 - 10 to gateway 32.32.32.105 2.Route to GP2 - 10.1.2.0/24 - NEXT VR 3 More Local Routes - to Core SW if you have any   Secondary VR 1 Default Route 0.0.0.0/0 10 33.33.33.108/29 2.Route to Local 10.0.0.0/24 10 Next VR 3, Route to DMZ 10.254.1.0/24 10 Next VR 4. Route to DMZ2 10.254.2.0/24 10 Next VR 5. Route to GP 10.1.1.0/24 Next VR 6. If you have any IPSEC S2S you need to point to Primary VR   If you want to have also another ipsec S2S from secondary ISP as backup you will need to crete second tunnel and you will need to change metric and setup path monitoring if secondary VR Tunnel will go down than you still will be able to reach from Primary VR with metric 15. But if you have only one tunnel and you don't need to create another one all you do from Secondary VR route to primary with metric 10.   I hope this will help   ... View more