This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About highmiles
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About highmiles
03-24-2023
6Posts
1Like
0Solutions
Mar 24, 2023Last Visited
User
Activity
User
Profile
Latest posts by highmiles
| Subject | Views | Posted |
|---|---|---|
| 733 | 03-24-2023 10:51 AM | |
| 743 | 03-24-2023 10:40 AM | |
| 763 | 03-24-2023 10:19 AM | |
| 774 | 03-24-2023 10:11 AM | |
| 823 | 03-24-2023 10:05 AM | |
| 1147 | 03-23-2023 03:01 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-24-2023 10:51 AM |
User Badges
Community Statistics
| Member Since | 03-14-2023 11:13 AM |
| Date Last Visited | 03-24-2023 04:49 PM |
| Posts | 6 |
| Total Likes Received | 1 |
03-24-2023
10:51 AM
1 Kudo
ok, i see, got it, this is assuming i am moving my /24 block. But i am not moving it 🙂 .
I will simply create new Zone and assign to new interfaces for the new /30.
I appreciate your input, let me go back to the consultant and challenge his theory, not sure if i will succeed, he is the expert.
Thanks again.
... View more
03-24-2023
10:40 AM
Why would i change my IKE gateway's local interface? That is what i am trying to prevent in the first place.
I need to keep using the current VPN peer IP. (currently set to 204.x.x.10/24 and directly facing internet)
I will Introduce a new /30 block (or /29) between me and ISP and start distributing/propagating my /24 to ISP.
My /24 will now be behind this new /29 and peering to my 204.x.x.10/24 will be one hop away from internet.
Thanks
... View more
03-24-2023
10:19 AM
Hi Radio_Rattameister
I am not worried about the architecture of this as much as I am worried about the VPNs.
So the new /29 block will be used between me and the ISP, my current /24 block willl still be on the same PA but one hop behind.
All of this is being done to enable fail-over the /24 block to my other data center in case of a DR.
Maybe there is trick or certain feature we have to enable for the IPSec to work if we introduce a new block Infront or the current public IP we use for VPN peering.
He said the same thing about my Global Protect for remote access (which runs on a separate PA), they will also be impacted.
Is there a guide or link on how to setup S2S (L2L) VPN IPsec on an interface that is not facing the public?
Thanks
... View more
03-24-2023
10:11 AM
I like this answer! The IPSec will still work even if I used Loopbacks interfaces, interesting.
So, this guy we hired (from a well-known Paloalto partner) tells me otherwise, and he has 15+ years of experience.
He suggested i purchase VPN concentrators! (Something i don't want to do).
I am really puzzeled 😞
... View more
03-24-2023
10:05 AM
Both old IP block and new address block will be on the same PA, the new block will have a new Zone name.
My question was specifically regarding my VPNs peer address that i am currently using, will it work if i move it one hop (on the same PA) behind the new IP block?
... View more
03-23-2023
03:01 PM
Hi I am using a pair of PA-3250 in HA and have 17 S2S VPNs using my outside interface that has /24 public IP assigned to it. Due to ongoing issues with our current internet, we have decided to move to a different internet platform (DIA) and enhance our redundancy (enable BGP). However, with this new setup, the ISP must give us a new /29 block to exchange BGP. As a result, the current /24 subnet and the IP we use for VPN peering will sit behind this new IP block on the same PA.
Someone mentioned to me the 17 S2S tunnels will not work and IPSec tunnels must be terminated on the interface closet to the remote peer. VPN traffic cannot enter the firewall on one interface, cross the backplane and then be delivered to a second interface.
Any feedback and possible work around will be appreciated.
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-24-2023
04:49 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks