Skip to main content
SigniVain
SigniVain
New Member
May 9, 2018
Question

Use a public IP address for VDOM2, that is in the advertised BGP range of VDOM1?

  • May 9, 2018
  • 2 replies
  • 7756 views

Howdy,

I have several VDOMs, one of which we'll call "Outside."  This Outside VDOM is directly connected to the Internet, and is advertising a /24 block to the ISP via BGP.  From this IP block, everything's working as it should: we have IPs from this advertised range forwarding to internal resources, which are accessible by the public.  Just to put numbers to this public IP range, let's say it's 192.168.0.0/24.

 

Here's where I'm stuck: I would like to create a new VDOM which will be used strictly for site-to-site IPsec tunnels.  However, I'd like this IPsec VDOM to be accessible by the public using one of the 192.168.0.0/24 IP addresses (e.g. 192.168.0.2).  What is the best way to accomplish this? 

 

Should I just create a VIP on the Outside VDOM pointing to the VDOM link on the IPsec VDOM side, and then use a one-for-one NAT IP pool with the 192.168.0.2 address?

 

Any help would be greatly appreciated!  Thank you in advance.

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 10, 2018

The simplest way, which we do for most of multi-vdom situations, is to make the first vdom/root to have a direct internet connection, and the rest of all vdoms are connected to the internet through root vdom. You can allocated a /30 or even /31 to each vdom-link so the second vdom use its vdom side of /30or31 public IP to set up VPNs, which could be used for admin access as well (although we don't allow that for security reason. Otherwise it may not pass PCI audit or something like that).

aagrafi
aagrafi
New Member
May 10, 2018

You should create an inter-VDOM link between the two VDOMs. The routing to/from the Internet, of course, should be done through the Outside VDOM.

SigniVain
SigniVainAuthor
New Member
May 10, 2018

Thank you for your responses!  I failed to note that the Outside VDOM (directly connected to the Internet) is in NAT mode, not transparent.  I've attached a diagram to help better explain my goal.

 

It seems that when I do the following, I don't get a PING response when pinging 192.168.0.2 from the outside:

[ol]
  • Create VIP on Outside VDOM; allow all traffic (proof of concept) from any source to VIP (192.168.0.2 > 172.16.0.2)
  • Create policy on Outside VDOM to use a one-for-one IP Pool (192.168.0.2) for all outbound traffic from the inter-VDOM link (172.16.0.2)
  • Create default route on IPsec VDOM (0.0.0.0/0 > 172.16.0.1)
  • Create policy on IPsec VDOM to allow all traffic from all sources in (proof of concept)[/ol]

    I can't seem to get a ping response when pinging 192.168.0.2.  Running a packet capture on IPsec VDOM shows ICMP ping requests coming in (from/to looks good), but info shows "no response found."  Did I miss a step/whole concept?

     

    Thanks again. 

     

     

    • SigniVain
    SigniVainAuthor
    New Member
    May 11, 2018

    Am I on the right path with the above steps, or am I missing smething?  Thank you for your help!

    Terms & ConditionsAccessibility statement