topic Re: Traffic cannot return in General Topics

Traffic cannot return

apazmino — Fri, 24 Jun 2022 02:40:52 GMT

Hi Folks I have the next topology. The problem is the return traffic when I connect via GlobalProtect and I get a client IP 10.81.235.x. This IP cannot connect with a web server that is in the LAN, but this LAN is external through a data link routing.

In the other side, owner of web server 192.168.36.38 they don't want to include subnet GP 10.81.235.x in their route tables for propagation due to internal security policies. Currently, communication is succesfull between LAN internal to LAN external, but GP to LAN external (192.168.36.x) is not completing.

In logs we have security rule that show me allow with application incomplete and session end reason Aged out.

Is possible to use a NAT rule to force communication and avoid session loss or PBF with symetric return? What option could you suggest me?

Thanks in advance

Re: Traffic cannot return

aleksandar.astardzhiev — Fri, 24 Jun 2022 10:39:45 GMT

Hi @apazmino,

Probably stupid question, but can you clarify for me what do you mean by "LAN is external through a data link routing"?

It is hard to understand your topology with provided information, without any diagram, at least for me.

From what I understand your problem definately sounds like the destionation doesn't know how to route back the traffic, which could be solved with NAT. It is very hard to imagine how PBF could help in this situation so go for the NAT and agree with the remote site on prefix that can be used for translating your GP IP pool.

Re: Traffic cannot return

apazmino — Fri, 24 Jun 2022 12:12:10 GMT

HI Astardzhiev, thanks for your response. When I refer to external lan, I tried to explain with this topology, lan external come to be one external subnet that does not belong to my side, otherwise, lan external is other subnet connected via data link but is within LAN_zone.

Then, to clarify I attach diagram, the question is: In the return from subnet 192.168.36.x could I use Source or destination NAT?.. According to your suggestion is not possible with PBF.

thanks so much

Re: Traffic cannot return

apazmino — Fri, 24 Jun 2022 17:43:53 GMT

Hi, it was solved with NAT SOURCE rule. Masking like a Lan subnet. Thks..

Re: Traffic cannot return

aleksandar.astardzhiev — Sat, 25 Jun 2022 20:35:37 GMT

Hi @apazmino ,

Glad you solved your problem. Add some clarification:

- You have to use source NAT, because you need to change the source address for which the server will try to send reply back.

- The purpose of PBF is if you want to route given traffic, based on some kind of policy - for example any traffic from given source network. But PBF cannot help you if destination network doesn't have route back or don't want to install proper routing for your source network.