SSL VPN users unable to access the internet though Palo

parkcakes — Thu, 27 Oct 2011 14:29:24 GMT

I have setup SSL VPN and its been in use for a few weeks without any issue with the exception of one minor annoyance.

I have been unable to get the SSL VPN users to be able to see the internet when connected.

1) The access route is set to 0.0.0.0/0 to force all traffic back though the Palo Alto.

I don’t want users getting internet direct when they are VPN'ed in but force them to be filtered just like when they are in the office.

2) If I use a laptop with Firefox on and point it to a temporary internal proxy on port 8080 i can get back out again to the internet.

3) The VPN users get an IP address in a range outside the normal local LAN range.

4) There is a router which is the default gateway points all traffic not destined for one of our other networks though the Palo alto.

I think this issue is that the VPN traffic is exiting the Palo on the same interface that it has to come back on to get out of the internet and there is nothing to point it back were all other traffic is being forwarded to the Palo Alto by the gateway. Therefore I think I need some sort of rule on the Palo that internally forwards VPN traffic not destined for one of internal networks back out of the WAN port????

Ethernet 1/1 (WAN) (DefaultVR) (L3-untrust) 194.123.123.18/28

Ethernet 1/2 (LAN) (DefaultVR) (L3-untrust) 10.1.1.20/8

Management 10.1.1.23

----

SSL-VPN range 10.3.1.0/24

SSL Gateway (eth1/1) 194.123.123.18/28

----

Tunnel (DefaultVR) L3-Trust (no IP)

----

DefaultVR Static routes.

default 0.0.0.0/0 ip 194.123.123.17 none none

Site2 10.2.0.0/16 ip 10.1.1.11 none none

Site3 10.5.0.0/16 ip 10.1.1.11 none none

---

Border Router (for Site to site links) 10.1.1.11

Forwards all traffic for other networks e.g. 10.2.0.0/16 over site to site link

Forwards everything else to Palo > 10.1.1.20

Re: SSL VPN users unable to access the internet though Palo

skrall — Mon, 31 Oct 2011 17:02:42 GMT

Problems like this usually fall into one of two catagories.

1) The range allocated for SSL VPN users is not getting the proper NAT applied when the traffic goes out to the internet

2) There is another router involved in the path and that router is not aware of the SSL VPN subnet or is directing the traffic to the incorrect next hop.

If neither of these is the case you should open a case with support.

Steve Krall

topic Re: SSL VPN users unable to access the internet though Palo in General Topics

SSL VPN users unable to access the internet though Palo

Re: SSL VPN users unable to access the internet though Palo