https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50234#M36988 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>I am seeing traffic denied from untrust to untrust per my last global deny rule application not applicable</P><P></P><P>dosent seem to be any other deny</P><P></P><P>thanks</P><P>Sue</P></BODY></HTML> Tue, 30 Aug 2011 13:11:39 GMT sue_town 2011-08-30T13:11:39Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50232#M36986 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Have a PA 500 set up for split tunnelling - so clients access internet locally and all other traffic is passed over VPN tunnel to our office</P><P></P><P>I have DHCP set up on PA box so clients get primary DNS server (local ISP one) and secondary DNS (office one)</P><P></P><P>I have set up a rule from trust to untrust to allow application DNS and service DNS however i am getting errors saying failed to resolve domain name</P><P></P><P>so I SSH to the box and cannot ping host www.yahoo.com nor can i ping host yahoo.com by IP</P><P></P><P>any ideas please?</P><P></P><P>thanks</P><P>Sue</P></BODY></HTML> Tue, 30 Aug 2011 12:27:33 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50232#M36986 sue_town 2011-08-30T12:27:33Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50233#M36987 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>if you cannot ping yahoo.com by IP as well, it is unlikely to be a DNS problem. Would you check the traffic log to see if any traffic has been denied? </P></BODY></HTML> Tue, 30 Aug 2011 13:02:41 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50233#M36987 jleung 2011-08-30T13:02:41Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50234#M36988 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>I am seeing traffic denied from untrust to untrust per my last global deny rule application not applicable</P><P></P><P>dosent seem to be any other deny</P><P></P><P>thanks</P><P>Sue</P></BODY></HTML> Tue, 30 Aug 2011 13:11:39 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50234#M36988 sue_town 2011-08-30T13:11:39Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50235#M36989 <HTML><HEAD></HEAD><BODY><P> Hi Sue,</P><P></P><P>Try to do this:</P><P></P><P>1. go to <CITE>whatis<STRONG>myip</STRONG>address.com/ to check the public IP you are using before you connect to the SSLVPN.</CITE></P><P><CITE>2. start the vpn connection, check if there is any deny traffic from your public ip address</CITE></P><P><CITE>3. most likely you will see there is traffic from your public IP address from untrust to untrust running on port 443 being denied. for that case you should add the SSL as the app and app. default as the port no.</CITE></P><P><CITE>4. remember to add the NAT policy for your client.</CITE></P></BODY></HTML> Tue, 30 Aug 2011 13:34:54 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50235#M36989 jleung 2011-08-30T13:34:54Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50236#M36990 <HTML><HEAD></HEAD><BODY><P>thanks for your reply....but the traffic over the VPN tunnel into the companys network is working ok</P><P></P><P>the issue is just with internet access and DNS it seems...</P><P></P><P>Sue</P></BODY></HTML> Tue, 30 Aug 2011 13:44:02 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50236#M36990 sue_town 2011-08-30T13:44:02Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50237#M36991 <HTML><HEAD></HEAD><BODY><P>Hi Sue,</P><P></P><P>so would you run ipconfig to see if the DNS setting is well populated? Also check if the "route print" output to see if the routing to SSLVPN gateway just cover the corporate network subnet, and run a traceroute to see check which is the next hop for traffic to yahoo.com.</P></BODY></HTML> Tue, 30 Aug 2011 14:34:14 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50237#M36991 jleung 2011-08-30T14:34:14Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50238#M36992 <HTML><HEAD></HEAD><BODY><P>just to let you know this is resolved</P><P></P><P>the issue was that the default route was set to go via an interface rather than IP address - once i changed it to IP, all web browsing and DNS worked fine</P><P></P><P>just for info</P><P></P><P>thanks for replies</P><P>Sue</P></BODY></HTML> Wed, 31 Aug 2011 07:57:59 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50238#M36992 sue_town 2011-08-31T07:57:59Z https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50239#M36993 <HTML><HEAD></HEAD><BODY><P>Hi Sue,</P><P></P><P>Good to know that <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </P></BODY></HTML> Wed, 31 Aug 2011 15:49:31 GMT https://live.paloaltonetworks.com/t5/general-topics/pa500-split-tunnelling-dns-question/m-p/50239#M36993 jleung 2011-08-31T15:49:31Z