Hello,
I’m trying to implement the below design so that there is separation between Internal and External VPN users. The reason for the Staging Virtual Router is because all RFC1918 networks could be used in staging and External VPN users will need access to these. At the same time there is the trusted zone that needs to be seperate from the Staging zone and access allowed via GP for Internal VPN users only.
I only have 1 public IP to play with.
I have followed the guides linked below and configured GP Portal (10.10.10.1) and Gateway (10.10.10.2) on loopback addresses and have the IPSec VPN working successfully utilising Destination NAT for Internal GP users in the diagram.
Where I’m stuck is figuring out how to configure the second Gateway that is tied to a tunnel interface in the Staging VR in order to maintain routing separation from the trust zone.
I created a second tunnel interface and assigned it to the Staging VR and created a new security zone. I then created a another loopback (10.10.10.3).
Next I created another Gateway with this new loopback. In the Agent config I selected the new tunnel interface and enabled IPSec.
My progress then ground to halt when It came to the NAT rule as I already have a rule for the single public IP that translates incoming IPSec traffic to the first Gateway (10.10.10.2).
Any ideas on how I can get this working or better implement these design requirements?
Thanks,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0
