topic Re: ISSUE WITH GLOBAL PROTECT in General Topics

ISSUE WITH GLOBAL PROTECT

mbeghdadi — Tue, 10 Mar 2015 09:20:39 GMT

We have configured One VR-1 only

Ethernet 1/1 is a WAN interface

Ethernet 1/2 is a WAN interface

Ethernet 1/3 is a WAN interface

Ethernet 1/4 is a LAN interface

We’ve created

ETH1-ZONE for Ethernet 1/1

ETH2-ZONE for Ethernet 1/2

ETH3-ZONE for Ethernet 1/3

ETH4-ZONE for Ethernet 1/4

VP –ZONE for all the tunnels (used for remote connection site with site-1 and site-2)

GP-ZONE used for GLOBAL PROTECT

STATIC ROUTE

We’ve a set of static

LAN to ETH1

LAN to ETH2

LAN to ETH3

LAN to LAN

And VPN route using tunnels

POLICIES

We’ve setted up a bunch of policies

LAN to WAN1 (ISP1) for Tunnel traffic and VPN traffic

LAN to WAN2 (ISP2) for Webmail

LAN to WAN3 (For Web browsing)

We’ve created a PBF for forwading traffic from LAN to Ethernet 1/2 when it is about MAIL/WebMAIL activities

We’ve an application override to force FTP application goes to LAN to LAN (through the MPLS network) due to asymmetric issues

We've a Laptop which is connecte outside the office, and we setup a connection through the PALO ALTO using GLOBAL PROTECT, the connection is established using ISP1.

The VPN for Global Protect is UP and RUNNING

The issue is the following:

We cannot access to the LAN of the PA-500

We cannot access to Internet using the PA-500

BUT

We can connect to remote-site-1; Remote-2 and last but not the least we can connect to the remote site which located accross the MPLS network.

Does anyone has an idea or some guidance about this issue? Have we missed something? Could it be possible that the configuration is wrong?

Re: ISSUE WITH GLOBAL PROTECT

parmas — Tue, 10 Mar 2015 14:12:08 GMT

We cannot access to the LAN of the PA-500 .......... from where? Please add more details

We cannot access to Internet using the PA-500............. again, access the Internet? I guess you mean from the LAN, but using which ISP?

I believe you might be running into some asymmetric routing issue because of the different ISPs that you have configured. I could suggest segregating them by using different virtual routers, but you need to make sure you have the proper routes in place in each of the VRs.

Re: ISSUE WITH GLOBAL PROTECT

mbeghdadi — Tue, 10 Mar 2015 14:48:03 GMT

Hi,

Thanks for your feedback, after investigation the issue was related to PFB..It was necessary to write a new rule stating that

trafi from LAN to GP (global protect Zone) should not use PBF...

After the commit, trafic is UP...