https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26074#M19025 <HTML><HEAD></HEAD><BODY><P>I was able to figure out the problem. I believe the issue was related to my NAT policy and routing. My NAT policy was translating traffic to the IP address of the interface used for our primary ISP but routing it out the interface for our secondary ISP.</P><P></P><P>I have ISP failover setup using PBF for the primary ISP and a virtual route for the secondary ISP. The PBF routes traffic from my trust to untrust zones. (There aren't any PBF rules configured with the source zone my VPN is using so the firewall should check the virtual router next.) I have a default route setup on the virtual router that is used in the event the PBF primary ISP route fails. I also had another default route for traffic that should already be routing traffic via the previously mentioned PBF policy, just with a lower priority metric (probably shouldn't even be there). I believe the NAT policy was translating traffic to the primary ISP interface IP address but the virtual route with a higher priority metric was sending that traffic out the secondary ISP interface. I removed the second "default" route and created another PBF policy that routes traffic from my VPN zone to the primary ISP interface. Tested and works great now! </P><P></P><P>I hope this made sense.</P></BODY></HTML> Wed, 02 Jan 2013 22:37:15 GMT mario11584 2013-01-02T22:37:15Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26071#M19022 <HTML><HEAD></HEAD><BODY><P>I have built access via global protect for remote users and all is working fine except that they cannot access the internet. </P><P>1. DNS is assigned (internal)</P><P>2. All internal network resources are accessable</P><P>3. accessable routes includes 0.0.0.0/32</P><P>Any ideas?</P><P></P><P>Thanks,</P><P>John</P></BODY></HTML> Mon, 09 Jan 2012 17:41:02 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26071#M19022 Marcum 2012-01-09T17:41:02Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26072#M19023 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">Two things. In the gateway client config set the access route to 0.0.0.0/0. That eliminates split tunnel. <BR /> <BR /> Make sure there is a rule that allows the VPN zone to access the untrust zone. <BR /> <BR /> Also a NAT rule to NAT VPN users like you do for the inside or trusted network. <BR /> <BR /> Last thing, make sure VPN tunnel is part of the same virtual router as the outside layer 3 interface. <BR /></SPAN></P><P>Thank for the info Geovanni Morales</P></BODY></HTML> Mon, 09 Jan 2012 18:41:01 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26072#M19023 Marcum 2012-01-09T18:41:01Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26073#M19024 <HTML><HEAD></HEAD><BODY><P>I am running into this problem as well. I have the access route 0.0.0.0/0 configured. I have a security policy to allow traffic from my VPN zone to the untrust zone. I created a NAT policy identical to the one in place for traffic from untrust to trust with the exception being traffic is coming from the VPN zone. See the screen shots below. I only have one virtual router but how do I make sure it is part of the same outside layer 3 interface?</P><P></P><P>NAT Policy:</P><P><IMG alt="NAT Policies.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/4989_NAT Policies.png" width="450" /></P><P>Security Policies:</P><P><IMG alt="Security Policies.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/4990_Security Policies.png" width="450" /></P><P>Access Route:</P><P><IMG alt="Access Route.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5006_Access Route.png" width="450" /></P></BODY></HTML> Fri, 28 Dec 2012 23:16:19 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26073#M19024 mario11584 2012-12-28T23:16:19Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26074#M19025 <HTML><HEAD></HEAD><BODY><P>I was able to figure out the problem. I believe the issue was related to my NAT policy and routing. My NAT policy was translating traffic to the IP address of the interface used for our primary ISP but routing it out the interface for our secondary ISP.</P><P></P><P>I have ISP failover setup using PBF for the primary ISP and a virtual route for the secondary ISP. The PBF routes traffic from my trust to untrust zones. (There aren't any PBF rules configured with the source zone my VPN is using so the firewall should check the virtual router next.) I have a default route setup on the virtual router that is used in the event the PBF primary ISP route fails. I also had another default route for traffic that should already be routing traffic via the previously mentioned PBF policy, just with a lower priority metric (probably shouldn't even be there). I believe the NAT policy was translating traffic to the primary ISP interface IP address but the virtual route with a higher priority metric was sending that traffic out the secondary ISP interface. I removed the second "default" route and created another PBF policy that routes traffic from my VPN zone to the primary ISP interface. Tested and works great now! </P><P></P><P>I hope this made sense.</P></BODY></HTML> Wed, 02 Jan 2013 22:37:15 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-accessing-the-internet-v4-1/m-p/26074#M19025 mario11584 2013-01-02T22:37:15Z