How to Configure Dual VPNs with Dual ISPs with a Single Firewall to a Remote Site
Resolution
Topology
Main Site:
- Dual ISPs
- Single PAN firewall with dual Virtual Routers and dual VPNs.
- One ISP is used for all VPN traffic and the other is used for Internet traffic, as well as a backup for the VPN traffic.
Remote Site:
- Single PAN firewall with a single VR and a single ISP.
- Tunnel156 (in VR2) will be the main VPN tunnel.
- The workstation will ping the remote site from VR1. The PBF rule will route the packet to the interface of Tunnel156 in VR2.
- When the PBF monitor fails the packet uses the default route of the VPN network (tunnel.56) in VR1.
VR1 Setup
- Configure an IP address on the tunnel interface for PBR monitoring.
- Setup the static route for VPN/tunnel monitoring traffic.
VR2 Setup
- Configure IP address for tunnel monitoring.
- Setup the static route for VPN/tunnel monitoring traffic.
- Create a return route for the source (route back to the other VR).
PBF Policy
Security Policy
admin@lab‐56‐PA500(active)> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop NextHop Status
==== == ========== ====== ============== ============== ==============
VPNtraffic 4 Active Forward tunnel.156 156.156.156.58 UP
Session Flow:
admin@lab‐56‐PA500(active)> show session id 29290
Session 29290
c2s flow:
source: 192.168.56.30[Trust]
dst: 192.168.57.1
proto: 6
sport: 3045 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
pbf rule: VPNtraffic 4
s2c flow:
source: 192.168.57.1[vr2-vpn]
dst: 192.168.56.30
proto: 6
sport: 443 dport: 3045
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Mon Aug 8 10:16:58 2011
timeout : 1800 sec
time to live : 1767 sec
total byte count : 47632
layer7 packet count : 129
vsys : vsys1
application : ssl
rule : TrafficVPN
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : completed
URL filtering enabled: False
session via syn‐cookies: False
session terminated on host : False
session traverses tunnel : True
captive portal session : False
ingress interface : ethernet1/6
egress interface : tunnel.156
session QoS rule : N/A(class 4)
admin@lab‐56‐PA500(active)> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop NextHop Status
==== == ========== ====== ============== ============== ==============
VPNtraffic 4 Active Forward tunnel.156 156.156.156.58 DOWN
admin@lab‐56‐PA500(active)> show session id 61386
Session 61386
c2s flow:
source: 192.168.56.30[Trust]
dst: 192.168.57.1
proto: 6
sport: 512 dport: 55042
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 192.168.57.1[vpn]
dst: 192.168.56.30
proto: 1
sport: 55042 dport: 512
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Mon Aug 8 10:49:18 2011
timeout : 6 sec
total byte count : 74
layer7 packet count : 1
vsys : vsys1
application : ping
rule : TrafficVPN
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
layer7 processing : enabled
URL filtering enabled: False
session via syn‐cookies: False
session terminated on host : False
session traverses tunnel : True
captive portal session : False
ingress interface : ethernet1/6
egress interface : tunnel.56
session QoS rule : N/A(class 4)
owner: panagent