Hi all,
first of all, thank you for all the help in my past thread (https://www.reddit.com/r/networking/comments/a6ehbl/palo_alto_sslvpn_and_default_route_configuration/). I was able to understand a lot of things. I created this new post because after importing the latest configuration file, things are different from what I thought.
Diagram after importing the latest config
https://i.imgur.com/5xl0znC.png
This is what I think it could work..
https://i.imgur.com/JRmAZVI.png
Goal:
SSL VPN users will connect to Palo 1 using ldap+certificate as authentication. SSL VPN users must use Palo 2 e1/1 to access the internet inside the tunnel.
Configuration done so far:
The current configuration had all interfaces and tunnels under the VR1 so if I created a new tunnel interface for SSLVPN and put it inside it, SSLVPN users would have accessed the internet through Palo 1 e1/1 and this is not what I am trying to accomplish. So I created a new VR2 and put Palo 1 e1/2 and the SSLVPN tunnel interface inside it. At this point, sslvpn users would inherit the second 0.0.0.0/0 via 192.168.10.254. With this method , sslvpn users could reach the internet through Palo 2 as long as the first default route is installed in the l3sw's rib. If that link goes down, the second 0.0.0.0 kicks in and now we go nowhere (traffic go back and forth between l3sw and palo 1 e1/2). Another inconvenient is that IPsec tunnel inside the VR1 must reach network via VR2 e1/2, so the only think I came up was to statically route specific routes between VRs and it worked fine(are there other way?).
I think I didn't miss anything..otherwise I am happy to give more info if needed.
Thank you for any hints/suggestion!
No comments:
Post a Comment