topic Re: Global Protect users unable to access internal resources in General Topics

Global Protect users unable to access internal resources

jeff_mattson — Thu, 26 May 2022 13:50:06 GMT

I have a new portal and gateway and I'm trying to get users to access internal resources. I can see connections in the monitoring logs and get session end reason of either aged-out or n/a. Internal resources are able to reach GP users so the traffic is flowing outbound correctly. Somewhat new to PA and I'm thinking I'm missing a route or a NAT, something simple. Any suggestions?

Re: Global Protect users unable to access internal resources

BPry — Thu, 26 May 2022 21:05:34 GMT

@jeff_mattson,

It sounds like you are missing a route as you stated. I'd looking at your routes and verify that your actually have that setup properly for your internal resources. I wouldn't suspect a NAT issue for this traffic in a generic network setup.

Re: Global Protect users unable to access internal resources

jeff_mattson — Wed, 01 Jun 2022 21:04:17 GMT

I'm assuming I want to route to the interface (ethernet 1/8) with the assigned network that is behind that interface (10.100.0.0/24) and a next hop of none since it is directly connected. Having this configured I am still not able to reach internal resources on that interface. I am able to reach Internet resources. Ideas?

Re: Global Protect users unable to access internal resources

Adrian_Jensen — Thu, 02 Jun 2022 20:42:50 GMT

@jeff_mattson Are you using different Security Zones for the internal, internet, and VPN interfaces. And are you using different routing tables for each?

Your GP Gateway is presumably attaching VPN-connected clients to a tunnel interface (Network->GP->Gateway->[config]->Agent->Tunnel Settings). Are you using the default routing table on that tunnel, or a secondary routing table (Network->Interfaces->Tunnel-<[tunnel]->Virtual Router)? If the routing tables are different, then you need to add routes to the source/destination routing tables for traffic to go in both directions. As an example:

Internal clients are in 10.100.0.0/24 on ethernet1/8, routing table "default"

VPN clients are in 192.168.32.0/24 on tunnel.999, routing table "WAN2"

Then in the routing tables you need "next vr" hops to jump to the alternate routing table (Network->Virtual Routers->[config]):

table default - desc="path to VPN clients", dest=192.168.32.0/24, type=next-vr, value=WAN2

table WAN2 - desc="path to internal clients", dest=10.100.0.0/24, type=next-vr, value=default

You don't put in standard interface/next-hop IP address routes when jumping between routing tables, because the destination interface doesn't exist within the current routing table.

Re: Global Protect users unable to access internal resources

jeff_mattson — Fri, 03 Jun 2022 16:44:22 GMT

I am using different Security Zones for the interfaces but only the default Virtual Router. I'm assuming one routing table per VR instance giving me a single routing table. From your example above it appears I need another routing table/Virtual Router instance. Is this possible with a single routing table? How does Palo process the routing table?

Re: Global Protect users unable to access internal resources

Adrian_Jensen — Mon, 06 Jun 2022 04:34:42 GMT

In my setup (configured by someone different and now gone) I have 3 routing tables, a default and a routing table for each of 2 WAN interfaces, with the VPNs running on respective WANs. So each routing table needs respective routes. If you only have a single table then that is probably not it (but I don't have experience with that particular setup).