Hi Guys, I have a pair of PSA-5000 series devices configured in a cluster. there is an internal interface with an IP of 172.19.24.1, an external interface on 192.168.200.204 (DMZ) and a Management interface on 172.19.128.101.
The VPN clients from outside access the External port via a NAT rule on our firewall and this works great.
We now have a situation where the circuit that the external VPN client connects to is becoming saturated. I have another circuit that I would like to point the VPN client at so they can use a less busy network and NAT that to an alternative IP address on the external (DMZ) interface in addition to the existing IP address.
This one is probably the quickest and easy, I would recommend it espeically if this is temporary. There should be zero impact on your current setup as there are no changes needed on the PSA itself. The downside is you have to make end users aware of this new hostname incase they find existing one slow
a. create a second DNS hostname for the service example vpn2.myvpn.com such that it resolves to the second public IP hosted by your secondary/less busy circuit
b. setup the NAT rules on this secondary circuit/firewall similar to your existing setup
c. Have end users connect to this new hostname
There are several other ways ot do this, if above does not suit give us more details of your requirements.