Palo Alto Networks Knowledgebase: How to Configure Dual VPNs with Dual ISPs from a Single Firewall to a Remote Site

How to Configure Dual VPNs with Dual ISPs from a Single Firewall to a Remote Site

20209
Created On 02/07/19 23:55 PM - Last Updated 02/07/19 23:55 PM
VPNs
Resolution

Topology

Main Site:

  • Dual ISPs
  • Single PAN firewall with dual Virtual Routers and dual VPNs.
  • One ISP is used for all VPN traffic and the other is used for Internet traffic, as well as a backup for the VPN traffic.

Remote Site:

  • Single PAN firewall with a single VR and a single ISP.

    3453_ss1.gif

  • Tunnel156 (in VR2) will be the main VPN tunnel.
  • The workstation will ping the remote site from VR1.  The PBF rule will route the packet to the interface of Tunnel156 in VR2.
  • When the PBF monitor fails the packet uses the default route of the VPN network (tunnel.56) in VR1.

 

VR1 Setup

  • Configure an IP address on the tunnel interface for PBR monitoring.

    3454_ss2.gif

  • Setup the static route for VPN/tunnel monitoring traffic.

    3455_ss3.gif

 

VR2 Setup

  • Configure IP address for tunnel monitoring.

    3456_ss4.gif

  • Setup the static route for VPN/tunnel monitoring traffic.
  • Create a return route for the source (route back to the other VR).

    3457_ss5.gif

     

PBF Policy

3458_ss6.gif

 

Security Policy

3459_ss7.gif

 

admin@lab‐56‐PA500(active)> show pbf rule all

Rule       ID Rule State Action  Egress IF/VSYS NextHop        NextHop Status

====       == ========== ======  ============== ============== ==============

VPNtraffic 4  Active     Forward tunnel.156     156.156.156.58 UP

Session Flow:

 

admin@lab‐56‐PA500(active)> show session id 29290

Session 29290

  c2s flow:

    source: 192.168.56.30[Trust]

    dst:    192.168.57.1

    proto:  6

    sport:  3045    dport:  443

    state:  ACTIVE    type:  FLOW

    src user: unknown

    dst user: unknown

    pbf rule: VPNtraffic 4

  s2c flow:

    source: 192.168.57.1[vr2-vpn]

    dst:    192.168.56.30

    proto:  6

    sport:  443    dport:  3045

    state:  ACTIVE  type:  FLOW

    src user: unknown

    dst user: unknown

  start time          : Mon Aug 8 10:16:58 2011

  timeout              : 1800 sec

  time to live        : 1767 sec

  total byte count    : 47632

  layer7 packet count  : 129

  vsys                : vsys1

  application          : ssl

  rule                : TrafficVPN

  session to be logged at end : True

  session in session ager : True

  session synced from HA peer : False

  layer7 processing    : completed

  URL filtering enabled: False

  session via syn‐cookies: False

  session terminated on host : False

  session traverses tunnel : True

  captive portal session : False

  ingress interface : ethernet1/6

  egress interface : tunnel.156

  session QoS rule : N/A(class 4)

 

admin@lab‐56‐PA500(active)> show pbf rule all

Rule       ID Rule State Action  Egress IF/VSYS NextHop        NextHop Status

====       == ========== ======  ============== ============== ==============

VPNtraffic 4  Active     Forward tunnel.156     156.156.156.58 DOWN

 

admin@lab‐56‐PA500(active)> show session id 61386

Session 61386

  c2s flow:

    source: 192.168.56.30[Trust]

    dst:    192.168.57.1

    proto:  6

    sport:  512    dport:  55042

    state:  INIT    type:  FLOW

    src user: unknown

    dst user: unknown

 

  s2c flow:

    source: 192.168.57.1[vpn]

    dst:    192.168.56.30

    proto:  1

    sport:  55042  dport:  512

    state:  INIT    type:  FLOW

    src user: unknown

    dst user: unknown

 

  start time          : Mon Aug 8 10:49:18 2011

  timeout              : 6 sec

  total byte count    : 74

  layer7 packet count  : 1

  vsys                : vsys1

  application          : ping

  rule                : TrafficVPN

  session to be logged at end : True

  session in session ager : False

    session synced from HA peer : False

  layer7 processing    : enabled

  URL filtering enabled: False

  session via syn‐cookies: False

  session terminated on host : False

  session traverses tunnel : True

  captive portal session : False

  ingress interface : ethernet1/6

  egress interface : tunnel.56

  session QoS rule : N/A(class 4)

 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGQCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language