07-03-2022 07:54 PM
Hi,
We are using Zscaler cloud service through GRE tunnels and set default route using GRE route under the service vpn(vpn1), which is taken by client traffics on LAN side(service side) when goes to the Internet.
The GRE tunnel is established over Internet link(VPN0).
And, we have default route on transport side(VPN0) with NAT.
Recently, we added a new system communicating with a cloud service in the Internet.
We want PCs to use GRE tunnels routing and want Client cloud GW to use normal default route.
We're considering using Centralized data policy to achieve the goal as attached snapshot below.
What I am not sure with this solution is how the traffic coming from PCs will be routed if the cloud service traffic is handled by the centralized data policy.
Will the traffic be routed using the existing GRE default route?
08-08-2022 12:57 PM
We are using Zscaler as well. We route to primary and backup GRE tunnels, then use a bypass filter for our services that need to bypass Zscaler and come from a static source address. So the basic statement on the vEdges is:
ip gre-route 0.0.0.0/0 vpn 0 interface gre3 gre1
It looks like what you are doing above will send them directly out to the internet.
08-17-2022 04:40 PM
Hey Dillon,
Nice one....I am also interested in this solution.
Could you perhaps show the bypass filter and related config please...if you dont mind
Ciao
JC
08-18-2022 06:06 AM
Sure thing....
interface gre1
description Zscaler_Dallas
ip address 172.1.1.1.1/30
tunnel-source-interface ge0/1
tunnel-destination 165.225.216.22
mtu 1476
tcp-mss-adjust 1432
no shutdown
!
interface gre2
description Zscaler_Denver
ip address 172.1.1.4/30
tunnel-source-interface ge0/1
tunnel-destination 165.225.10.22
mtu 1476
tcp-mss-adjust 1432
no shutdown
vpn 10
name Service_VLAN
interface ge0/3.1000
description "Service Interface"
ip address 10.10.10.1/29
mtu 1496
no shutdown
!
ip gre-route 0.0.0.0/0 vpn 0 interface gre3 gre1
**Global Policy for all sites***
from-vsmart data-policy _Service_VPN_Zscaler_Bypass_Data_Policy
direction from-service
vpn-list Service_VPN
sequence 1
match
destination-data-prefix-list Zscaler-Bypass
action accept
nat use-vpn 0
no nat fallback
default-action
*for sites that filter access by IP address or have Zscaler issues*
from-vsmart lists data-prefix-list Zscaler-Bypass
ip-prefix 1.2.3.4/24
ip-prefix 2.2.3.5/32
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide