topic Re: Accessing all company networks with GlobalProtect client in General Topics

Accessing all company networks with GlobalProtect client

kpv — Mon, 23 Sep 2013 11:03:19 GMT

Hi!

Basic info:

PA-500 (software version 5.0.7)

Main location network: 10.10.1.0/24

Branch location network: 192.168.1.0/24

GlobalProtect client IP pool: 10.10.3.10 - 10.10.3.254

We have main location network and branch location network connected thru IPSec VPN. Our PA-500 is located on main location and handles GlobalProtect clients connections. When we connect thru GlobalProtect client, we are able to access only main location network, but cannot access branch network. How to configure that? By adding another proxy ID to IPSec tunnel? (local: 10.10.3.0/24, remote: 192.168.1.0/24 in main location and vice versa on branch location)

Thanks!

Re: Accessing all company networks with GlobalProtect client

Retired Member — Mon, 23 Sep 2013 11:08:36 GMT

What did you configure for access route ? (Global Protect configuration)

Re: Accessing all company networks with GlobalProtect client

kpv — Mon, 23 Sep 2013 11:25:43 GMT

Access route:

10.10.1.0/24

192.168.1.0/24

And i forgot to tell before: I don't know what appliance is at the other end of tunnel (main - branch). Someone else will configure that one.

Re: Accessing all company networks with GlobalProtect client

hsnetworks01 — Mon, 23 Sep 2013 12:03:05 GMT

Do you have set route on Branch location to Main location as well?

Know as back route.

Re: Accessing all company networks with GlobalProtect client

kpv — Mon, 23 Sep 2013 12:17:35 GMT

Can't tell, have no access to appliance. But VPN works fine: main - brunch.

Re: Accessing all company networks with GlobalProtect client

hsnetworks01 — Mon, 23 Sep 2013 12:37:15 GMT

VPN can works as is independent on route.

Steps:

create VPN

set route

set security rules

Re: Accessing all company networks with GlobalProtect client

Retired Member — Mon, 23 Sep 2013 13:19:18 GMT

Then you just need a source NAT rule.

(if you have security rule)

Write a NAT rule for source address 10.10.3.10 - 10.10.3.254 and also select zone, destination zone as branch and source NAT dynamic ip port / interface select Main Location interface.

Then you should access to branch without problem.

Re: Accessing all company networks with GlobalProtect client

kpv — Mon, 23 Sep 2013 13:50:27 GMT

Thanks for now. I will look into security and will be back.

Re: Accessing all company networks with GlobalProtect client

apasupulati — Mon, 23 Sep 2013 16:39:20 GMT

Hello kpv,

So I understand from your description that only the Branch location network is inaccessible by the GP users.

Do you have,

1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)

2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.

3. Return route/access from branch network to the GP subnet on the Peer side.

Thanks,

Aditi

Re: Accessing all company networks with GlobalProtect client

cmateam — Mon, 23 Sep 2013 21:21:32 GMT

Was just having the same problem. Turned out to be a return route as apasupulati suggested in item #3 of his post. Similar setup here in this post: Client VPN traffic and routing over IPsec Tunnel