topic Re: GlobalProtect and overlapping networks - is it a problem? in General Topics

GlobalProtect and overlapping networks - is it a problem?

_slv_ — Tue, 27 Dec 2016 20:41:42 GMT

Hello

I'm using GP since few years without any problem. Recently my colleagues complains abut situation when he can't established RDP connection. Local networks in their home is 192.168.1.x and my servers are on the same network 192.168.1.x -
That's their issue.

In my opinion it's not a problem because GP install virtual adapter that's have network designed for GP in my scenario 172.16.1.x.

I force also route 0.0.0.0/0

I tryed to find tech docs explained such situation but I can't find one. Could You point me in right directions of proofing my rights please.

With regards

SLawek

Re: GlobalProtect and overlapping networks - is it a problem?

TranceforLife — Tue, 27 Dec 2016 21:48:49 GMT

Hi,

Do PCAP from the client when attempting connection to the RDP server. That will prove the source IP you are coming from.

What is happening if they are not connected to the GP, can they RDP to the server?

Thx,

Myky

Re: GlobalProtect and overlapping networks - is it a problem?

BenjAudy.MTL — Wed, 28 Dec 2016 05:38:41 GMT

Hi,

Personally, I would never use 192.168.1.0/24 or 192.168.2.0/24 as a business network because so many home routers use those networks and you will run into overlaps. In your case, the local route for network 192.168.1.0/24 of the remote computer will have precedence over the default route 0.0.0.0/0, so the packet will not go through the VPN tunnel.

Benjamin

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Wed, 28 Dec 2016 09:13:20 GMT

Hello Benjamin

I know that in business we shouldn't use 192.168.1.x network - in my case this is historical - and very hard to change now.

I can't do pcap right now, I will do that in few days.

In my case I was able to ping any of my servers without problem. So are You sure that this is a route issue?

How to explain that ping was OK when RDP not?

Regards

SLawek

Re: GlobalProtect and overlapping networks - is it a problem?

BPry — Wed, 28 Dec 2016 14:35:05 GMT

I imagine that the end user is utilizing a Windows box? Overlap on the VPN networks are well known to cause serious issues with routing on Windows due to it prioritizing known paths. Everyone can say that this really shouldn't cause and issue, but it does for whatever reason even when running a 0.0.0.0/0.

One thing that I would double check is if the end-user is properly initiating an RDP. If you can ping the server then it should be able to RDP as long as Windows isn't doing something funky in the background; are you sure that the user is properly logging into the server using the DOMAIN\user and the proper password?

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Wed, 28 Dec 2016 15:21:24 GMT

Hello

Of course it's Windwos box 😉

I need to use 0.0.0.0/0 route because I need internet access from my IP's and access to local servers.

Is it other possibility to achieve this?

route print from my Windows box:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      192.168.8.1    192.168.8.101     50
          0.0.0.0          0.0.0.0         On-link        172.16.1.6      1
    xxx.xxx.xxx.xxx 255.255.255.255      192.168.8.1    192.168.8.101     50

as we can see link from 172.16.1.6 has "1" metric. I belive that routing table was the same from laptop that has issue. I know that I'm using 192.168.8.x network.

I will check this in lab with router with 192.168.1.0 network on 3th January.

The user can not even logon because when he tryed to connect using mstsc.exe logon windows doesn't appear, only after about 60s popup with "cannot conect bla bla" appear.

Regards

Slawek

Re: GlobalProtect and overlapping networks - is it a problem?

BPry — Wed, 28 Dec 2016 15:45:32 GMT

You might just want to try and have him connect to the FQDN of the device; that's what we have all of our users do and we don't get any overlap issues. Generally that works alot better than simple IP connections.

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Wed, 28 Dec 2016 16:19:26 GMT

This was my first step, we tryed to conenct using IP address - so this problem was eliminated.

Re: GlobalProtect and overlapping networks - is it a problem?

jdelio — Wed, 28 Dec 2016 22:55:16 GMT

The overlapping networks is ALWAYS a problem.. You have to either Exclude that network from the VPN OR you need to NAT. There is no way to easily avoid it when you have the overlap.

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Mon, 02 Jan 2017 13:33:27 GMT

Helllo

Thank You all for replays.

I will do NAT for connections between laptops and servers on 192.168.1.x network. I prefer to not NAT on connection between laptop and other servers ie. 192.168.10.x.

I hope that this solve my problems.

Regards

Slawek

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Thu, 05 Jan 2017 21:52:40 GMT

Hello

One more question

How to collect information about local user assigned IP addres from their home router? Please give me advice.

Regards

Slawek

Re: GlobalProtect and overlapping networks - is it a problem?

jdelio — Thu, 05 Jan 2017 22:28:07 GMT

The simplest way to get that information would be to get a "ipconfig" from a Dos window or Terminal window

To get this:

IPv4 Address. . . . . . . . . . . : 192.168.1.50
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . :192.168.1.1

This should tell you everything you need to know.. Network size, Gateway IP, etc.

I hope this helps.

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Fri, 06 Jan 2017 11:08:39 GMT

no no

I'd like to this on PA box using HIP profile....

Re: GlobalProtect and overlapping networks - is it a problem?

BPry — Fri, 06 Jan 2017 14:00:30 GMT

I'm almost certain that you can't obtain this information using HIP check. The IP address is stored in the registry so you could potentially make sure that it isn't overlapping with your own network segment, but usually as long as your network isn't using 10.0.0.0/24 or 192.168.1.0/24 you shouldn't interlap with most home networks.

Re: GlobalProtect and overlapping networks - is it a problem?

_slv_ — Fri, 06 Jan 2017 17:42:32 GMT

Hello

I'm pretty sure that it's possible, please take a look

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-HIP-for-Missing-Microsoft-Patches/ta-p/52268

if we can check patch we can check confogurtion of interfaces - I believe

How to do that - this is a question. I hope that someone will help me 🙂

Regards

Slawek