topic Re: Global Protect on overlapping networks in General Topics

Global Protect on overlapping networks

LCMember317 — Tue, 11 Oct 2011 13:20:52 GMT

Hello everybody!

I have a big problem with Global Protect and overlapping networks.

I make you an example.

-------------

My local network is 192.168.10.x

My Global Protect Network is 172.16.x.x

The external network has the same class of my local network

--------------

If I connect my lapton in any networks everything works good but if the network has the same class of my local network Global Protec Client on my laptop discover the "outside network" like extenal network (perfect thing) but if I try to access some service like webserver or Exchange I encounter connection error.

Can I resolve this specific situation? How?

Another think ... I can resolve and ping for example my internal DNS

Help me please ....

Re: Global Protect on overlapping networks

kamish — Tue, 11 Oct 2011 13:31:34 GMT

You are hitting your external gateway fine, but are unable to access internal resources? Is this correct?

Re: Global Protect on overlapping networks

kamish — Tue, 11 Oct 2011 13:37:08 GMT

A couple places to look for a problem.

Check to make sure that you have a security rule in place from inside to outside with your IP range for the GP pool. And vice versa.
Check that you have a route in place on your vrouter to allow you to stay inside once you have connected to the GP client.

Could you upload images of your vrouter and interfaces?

Also, make sure that your IP pool that you are assigning clients from GP is not the same network as your internal resources. It has to be something different.

Re: Global Protect on overlapping networks

LCMember317 — Tue, 11 Oct 2011 13:47:27 GMT

Yes ... but only some address. For Example the DNS server works good.

I think I've find the error. I've missed the Access Route in Gateway configuration.

Re: Global Protect on overlapping networks

kamish — Tue, 11 Oct 2011 13:48:56 GMT

That'll do it. Let me know if that fixes it. If you just enter 0.0.0.0 in the access routes for the Gateway, that will take care of it.

Re: Global Protect on overlapping networks

LCMember317 — Tue, 11 Oct 2011 14:20:17 GMT

If I use 0.0.0.0/0 or leave everything blank I have the overlapping problem.

If I submit my network class everything works but I cannot block for example the web-browsing because I bypass my firewall for navigation.

Re: Global Protect on overlapping networks

kamish — Tue, 11 Oct 2011 15:23:11 GMT

Does your vrouter have a route to internal resources?

Re: Global Protect on overlapping networks

LCMember317 — Tue, 11 Oct 2011 15:41:12 GMT

Do you mean I have to create I single route for I single resource in VR?

Re: Global Protect on overlapping networks

kamish — Tue, 11 Oct 2011 15:45:01 GMT

No not necessarily. For instance, I have 2 rules on my Vrouter for 172 and 192 addresses that point them from my external interface to my internal gateway.

Re: Global Protect on overlapping networks

kamish — Tue, 11 Oct 2011 15:51:53 GMT

Here is what my vrouter looks like:

Re: Global Protect on overlapping networks

LCMember317 — Tue, 11 Oct 2011 17:41:10 GMT

Tomorrow I'm going to try your solution. I give you a feedback asap

Re: Global Protect on overlapping networks

LCMember317 — Wed, 12 Oct 2011 13:36:45 GMT

Here I'm!

After a morning of test these are the results:

First of all we've updated the firmware at 4.0.5.

After that we've made a test with our client on external network. The result is not good!

Example:

We are on external network (class: 192.168.10.x/24) and try to connect trought GP at our network (same class but /21). We can ping and reach some IP but not all! For example the Exchange server not respond.

I attach the route create by GP client on external notebook and our VR

Re: Global Protect on overlapping networks

kamish — Wed, 12 Oct 2011 13:42:11 GMT

According to your schemata pic, there is not a route in there for 192.168.10.x/24. Honestly, I would remove all of the routes that you have for all of your 192 addresses and just make the route state 192.168.0.0/16 to your gateway. That way anything coming from 192.168 routes to the gateway.

Another thing to check would be to make sure that all of your internal DNS issues can resolve. I.E. in your external gateway config do you have the addresses of your DNS servers entered and a DNS suffix?

Re: Global Protect on overlapping networks

kamish — Wed, 12 Oct 2011 13:45:25 GMT

Also, could you show screen shots of your portal and gateway config?

Re: Global Protect on overlapping networks

LCMember317 — Wed, 12 Oct 2011 14:04:59 GMT

Yes ...

Re: Global Protect on overlapping networks

LCMember317 — Wed, 12 Oct 2011 14:13:40 GMT

PS: the DNS is configured.

Re: Global Protect on overlapping networks

kamish — Wed, 12 Oct 2011 14:20:22 GMT

On your portal IP and external gateway IP, are the public or private IPs?

If they are private, do you have a NAT rule in place for them to resolve to?

Re: Global Protect on overlapping networks

LCMember317 — Wed, 12 Oct 2011 14:22:03 GMT

We've got public IP

Re: Global Protect on overlapping networks

kamish — Wed, 12 Oct 2011 14:26:39 GMT

As I stated before, there is not a route on your vrouter for 192.168.10.x/24 with next hop being your internal gateway. I would just make a mask 192.168.0.0/16 from your eth1/1 interface to the 192.168.10.253 address.

Re: Global Protect on overlapping networks

kamish — Wed, 12 Oct 2011 14:29:16 GMT

But the fact that your internal gateway IP and inside network gateway are on the same subnet could be an issue as well.