topic VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud pro in Firewall and Security Management

VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud pro

Karen_Foster — Sat, 14 Dec 2019 17:16:34 GMT

We have two VPN tunnels; one is a bidirectional between us and a Cloud Service and the other is a one way between us and a customer with the traffic originating on our side of the tunnel. We need to be able to, either create a bi-directional tunnel between us and our customer, or a second tunnel with the traffic originating on the customer's side which can communicate with the Cloud Service. The current one-way tunnel between us and our customer has our external IP address defined on the gateway, but our customer is requiring us to assign another public IP address for the Cloud Service's traffic before they will allow traffic from their side through our side, then out to cloud. I am at a loss as to how to make this happen. The Cloud Service does not provide public IPs to use. Does this make sense? If so, how would I accomplish this and be able to have the traffic route properly? I have included a simple diagram to help explain the flow.

Re: VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud

PhoneBoy — Sun, 15 Dec 2019 04:43:29 GMT

Without knowing anything about the nature of this traffic that's supposed to go from your customer to this cloud service, it's hard to say if this will even work much less whether a truly public IP will be required.

Assuming it's something simple like HTTPS, all that should be needed is an IP they're not using on their end.
They could even use the IP of the cloud service in question.

Re: VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud

Karen_Foster — Mon, 16 Dec 2019 14:09:38 GMT

PhoneBoy,

Assume https traffic.

1. The VPN connected to the cloud service is a Star topology with different encryption specifications than the tunnel with the client which is meshed, would I be able to add the client gateway and the cloud gateway to the same community? Because the tunnels are already established do I need to do anything further to route traffic from the client tunnel through our center gateway to the cloud tunnel assuming we can provide them with a public IP from the cloud provider? The VPN routing on the cloud tunnel is set to "To center or through the center to other .....".

2. If the cloud provider can not furnish a public IP (other than the one I have connected to the cloud tunnel), what are my other options?

Thank you for help

Re: VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud

PhoneBoy — Mon, 16 Dec 2019 16:38:50 GMT

You could theoretically add the customer to your existing community, assuming they can set their encryption settings to match the existing community.
Whatever IP you're using to access the cloud service over the VPN from your end now could then be used by the customer.
That assumes no overlapping IPs being used and the appropriate rules are in place.
Otherwise, you'll need an IP that isn't being used on the customer side that can be NATted to the cloud service.

Re: VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud

Karen_Foster — Mon, 16 Dec 2019 21:30:24 GMT

Thank you