Configure the Linux Instances as Routers

Configure the Router 1 instance in VPC 1 located in mainland China.
You can also configure Router 1 as a VM-series next-generation firewall; these steps show a configuration using two Linux instances as routers.
Open a secure CLI session with the router 1 instance by entering the
ssh -i
key-file
root@
instance-ip
, where
key-file
is the file location where you saved the key and
instance-ip
is the IP address of the router 1 instance.
Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
net.ipv4.ip_forward = 1
Enter
sysctl -p
to load the new configuration.
Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name
iptables-rule.sh
and adding the following lines to the file, substituting
router-1-private-ip-address
with the private IP address of Router 1 and
router-2-private-ip-address
with the private IP address of Router 2.
#!/bin/sh
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -o eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination
router-2-private-ip-address
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination
router-2-private-ip-address
iptables -t nat -A POSTROUTING -d
router-2-private-ip-address
/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source
router-1-private-ip-address
iptables -t nat -A POSTROUTING -d
router-2-private-ip-address
/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source
router-1-private-ip-address
Save and close the file.
Enter the
chmod +x iptables-rule-sh
command to make the file executable.
Enter the
./iptables-rule.sh
shell script to execute the iptables rule.
Enter the
iptables-save
command to verify that the rules have been added.
Configure the Router 2 instance in VPC 2 located outside of mainland China.
Open a secure CLI session with the router 2 instance by entering the
ssh -i
key-file
root@
instance-ip
, where
key-file
is the file location where you saved the key and
instance-ip
is the IP address of the router 1 instance.
Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
net.ipv4.ip_forward = 1
Enter
sysctl -p
to load the new configuration.
Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name
iptables-rule.sh
and adding the following lines to the file, substituting
remote-network-service-ip-address
with the
Service IP Address
of the Prisma Access remote network (
Panorama
Cloud Services
Status
Network Details
Remote Networks
Service IP Address
) and
router-2-private-ip-address
with the private IP address of Router 2.
#!/bin/sh
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -o eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s
router-2-private-ip-address
/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination
remote-network-service-ip-address
iptables -t nat -A PREROUTING -s
router-2-private-ip-address
/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination
remote-network-service-ip-address
iptables -t nat -A POSTROUTING -d
remote-network-service-ip-address
/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source
router-2-private-ip-address
iptables -t nat -A POSTROUTING -d
remote-network-service-ip-address
/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source
router-2-private-ip-address
Save and close the file.
Enter the
chmod +x iptables-rule-sh
command to make the file executable.
Enter the
./iptables-rule.sh
shell script to execute the iptables rule.
Enter the
iptables-save
command to verify that the rules have been added.