pa-edge-fw01 corp.example.com 10.0.0.1 255.255.255.0 10.0.0.254 8.8.8.8 8.8.4.4 pool.ntp.org 1500 1000 full ISP Uplink - Provider A 1500 DMZ - Web Servers 1500 Trust LAN 1500 ISP Uplink - Provider B (IPsec) Core Router OSPF Peering BGP Router-ID / Loopback IPsec tunnel to Branch-A (BGP over VPN) IPsec tunnel to Branch-B (BGP over VPN) ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ethernet1/5 loopback.1 tunnel.1 tunnel.2 0.0.0.0/0 203.0.113.1 10 0.0.0.0/0 198.51.100.1 20 10.0.0.0/8 192.168.100.2 1 172.20.0.0/16 192.168.100.2 1 10.100.1.2/32 10.100.1.2 tunnel.1 1 10.100.2.2/32 10.100.2.2 tunnel.2 1 yes 10.255.255.1 yes no 10 10 4 yes yes ext-2 20 yes 10.255.255.1 65001 yes yes yes 203.0.113.1 64512 30 90 203.0.113.2 ethernet1/1 yes 198.51.100.1 64513 30 90 198.51.100.2 ethernet1/4 yes 192.168.100.2 65001 10 30 10.255.255.1 loopback.1 no yes 10.100.1.2 65101 30 90 10.100.1.1 tunnel.1 yes 10.100.2.2 65102 30 90 10.100.2.1 tunnel.2 connected yes aes-256-cbc sha256 group14 8 aes-256-cbc sha256 group14 1 $9$secretkeyBranchA IKEv2-AES256-SHA256-DH14 198.51.100.2 ethernet1/4 198.51.100.10 IKEv2-AES256-SHA256-DH14 $9$secretkeyBranchB IKEv2-AES256-SHA256-DH14 198.51.100.2 ethernet1/4 198.51.100.20 IKEv2-AES256-SHA256-DH14 IPSec-AES256-SHA256 tunnel.1 IPSec-AES256-SHA256 tunnel.2 ethernet1/1 ethernet1/4 Zone-Protect-Strict default ethernet1/3 default ethernet1/2 Zone-Protect-DMZ default tunnel.1 tunnel.2 trust untrust 10.10.0.0/24 any web-browsing ssl dns application-default allow default yes dmz untrust 172.16.10.0/24 any apt-get yum dns application-default allow yes untrust dmz any 172.16.10.10 172.16.10.11 ssl web-browsing service-https allow yes yes vpn-tunnels trust 172.20.0.0/16 10.10.0.0/24 any any allow yes trust dmz 10.10.0.0/24 172.16.10.0/24 ssh web-browsing ssl application-default allow yes any any any any any any deny yes yes trust untrust 10.10.0.0/24 any any ethernet1/1 203.0.113.2/30 untrust untrust any 203.0.113.2 service-https 172.16.10.10 443 vpn-tunnels trust 172.20.0.0/16 10.10.0.0/24 any