https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48132#M35394 <HTML><HEAD></HEAD><BODY><P>Hello Marct,</P><P>if you are already able to get the client to connect and get an ip then the issue probably has to do with policy or routing.</P><P>Can you verify the following:</P><P></P><P><BR />make sure that the zone that the tunnel interface for the ssl vpn has policies/rules allowing the traffic to other desired zones</P><P></P><P>make sure that the ssl vpn tunnel interface is attached to a virtual router (this virtual router should also have interfaces facing the other subnets that you want the ssl vpn users to be able to connect to)</P><P></P><P>make sure that the ip range or the subnet that you have assigned to the sslvpn users is not the same as any of the other subnets in your network</P><P></P><P></P><P></P><P>thanks,</P><P>Stephen Whyte</P></BODY></HTML> Fri, 16 Jul 2010 15:18:18 GMT swhyte 2010-07-16T15:18:18Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48131#M35393 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P>I have been strugeling to get set up the SSL VPN on v3.1.3</P><P>I have managed to get the page to login appear</P><P>I have managed to be able to login</P><P>I have been able to dowload and get the client connect</P><P>but for some odd reason it will not communicate to the network !!! :smileyconfused:</P><P></P><P>I have followed the article on the VPN connection on this site, I have also check the logs with a deny rule at the end of my policy to see if there is anything being denied which does not hit a rule and added in a rule accordingly to what I have seen from the logs but still nothing.</P><P></P><P>Would someone be able (who has got this running) to post a quick pictorial and sugestions.</P><P></P><P>Many Thanks</P><P></P><P>Marc</P></BODY></HTML> Fri, 16 Jul 2010 12:42:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48131#M35393 migration 2010-07-16T12:42:45Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48132#M35394 <HTML><HEAD></HEAD><BODY><P>Hello Marct,</P><P>if you are already able to get the client to connect and get an ip then the issue probably has to do with policy or routing.</P><P>Can you verify the following:</P><P></P><P><BR />make sure that the zone that the tunnel interface for the ssl vpn has policies/rules allowing the traffic to other desired zones</P><P></P><P>make sure that the ssl vpn tunnel interface is attached to a virtual router (this virtual router should also have interfaces facing the other subnets that you want the ssl vpn users to be able to connect to)</P><P></P><P>make sure that the ip range or the subnet that you have assigned to the sslvpn users is not the same as any of the other subnets in your network</P><P></P><P></P><P></P><P>thanks,</P><P>Stephen Whyte</P></BODY></HTML> Fri, 16 Jul 2010 15:18:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48132#M35394 swhyte 2010-07-16T15:18:18Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48133#M35395 <HTML><HEAD></HEAD><BODY><P>Hi Stephen,</P><P></P><P>I got the similar problem on configuring SSL VPN in PA. Actually, my network is:</P><P></P><P>Eth1/5 l3-untrust 10.0.0.0/8 network</P><P>Eth1/6 l3-trust 192.168.4.0/24 network</P><P>Tunnel l3-trust</P><P></P><P>Those three interfaces are under the same virtual router with below routing:</P><P></P><P>default-route 0.0.0.0/0 int eth1/5 next_hop 10.1.1.254</P><P>tunnel traffic to corp 172.16.1.0/24 int tunnel</P><P></P><P>172.16.4.0/24 is a SSL VPN portal client IP pool</P><P></P><P>Anything I missed? Thanks!</P><P></P><P>Johnny</P></BODY></HTML> Mon, 19 Jul 2010 09:55:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48133#M35395 johnnywong 2010-07-19T09:55:40Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48134#M35396 <HTML><HEAD></HEAD><BODY><P>If you have already verified all of my previous suggestion, then you may want to start looking into other factors like the following:</P><P></P><P></P><P>make sure that the device you are trying to reach does not have a firewall that is on or limiting connections to it</P><P></P><P>make sure that the device you are trying to reach is routing back to the pan device when trying to get back to ssl vpn users.....in other words when your device tries to reach this network (172.16.1.0/24), it should routed back to pan device.</P><P></P><P></P><P></P><P>thanks,</P><P>Stephen</P></BODY></HTML> Mon, 19 Jul 2010 20:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48134#M35396 swhyte 2010-07-19T20:52:56Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48135#M35397 <HTML><HEAD></HEAD><BODY><P>Did you mean the device I want to reach have to add a routing table for SSLVPN pool (172.16.1.0/24) via 192.168.4.51? The source of the packet will use 172.16.1.x info?</P><P></P><P>BTW, I tested before but it seems cannot be done. I already added the routing table 172.16.1.0 to the device I want to go which is 192.168.4.61.</P><P></P><P>thanks,</P><P>Johnny</P></BODY></HTML> Tue, 20 Jul 2010 08:44:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-configuration-help/m-p/48135#M35397 johnnywong 2010-07-20T08:44:35Z