topic Re: Global Protect - External IP as source in VPN tunnel in General Topics

Global Protect - External IP as source in VPN tunnel

sitecore — Wed, 06 Jun 2012 05:48:17 GMT

Hello PAN.

Trying to figure out why my connection on the VPN client was behaving a bit sporadic I noticed that *some* of the traffic send to the firewall from my GPA was using source IP = my client public IP, rather than my client private IP.

So. Some traffic is send with source IP = public IP, some traffic is being send with source IP = vpn IP.

VPN client i is tunnel mode, where only traffic to internal systems are being send to the firewall.

How can we make sure that tunnel traffic is only using source IP = vpn IP (so that it doesn't get dropped on the firewall) ?

Thanks

Jørgen

Re: Global Protect - External IP as source in VPN tunnel

rmonvon — Wed, 06 Jun 2012 19:34:30 GMT

Hi...The remote client should be NAT'ed to one of the IPs in the VPN's ip pool if the traffic is going thru the VPN tunnel. The VPN tunnel should be on a different zone than the public external zone. Please take a look at the traffic log and check the src zone.

If you still need help, please open a case with Support. Thanks.

Re: Global Protect - External IP as source in VPN tunnel

sitecore — Wed, 06 Jun 2012 19:49:25 GMT

Yes - it *should* NAT with the VPN IP. But if I log dropped traffic on the firewall I see:

Inbound interface = VPN Tunnel interface

Source zone = our VPN zone

Source IP = my public IP

Destination zone = our internal zone (any of them 🙂 )

Destination IP = internal IP

So it is certainly not NAT'ing *all* the traffic. It's a bit of both - which of course cannot be good for performence.

Jørgen