topic Re: VPN Client, Can't connect to internal zone? in General Topics

VPN Client, Can't connect to internal zone?

searching1 — Fri, 10 Feb 2017 18:02:29 GMT

Hi, Good day!

I would like to ask what would be the problem,

From outside user accessing via ssl vpn (VPN ZONE) below details are working.

1. It can connect / has the ip pool assigned

2. It can reach the internet using the assigned pool.

Problem is from VPN Zone user can't reach the internal zone even though we already created a policy from vpnzone -> Internal (vise versa). When we trace last hop stop is on ip address of the vpn interface.

We also tried adding static route exit interface tunnel. but still doesn't work. Also based on logs there's a byte sent (from uservpn) but no bytes received (reply from the internal server)

But when creating a nat policy from vpn zone -> internal it works.

But this doesn't scale well since it will be translated in one ip only.

What is missing on this setup?

thank you

Re: VPN Client, Can't connect to internal zone?

BPry — Fri, 10 Feb 2017 18:18:46 GMT

Kind of hard to follow the question with a quick glance, but I would attempt to look for the following.

1) What does your Access Route look like in your GP Client Configuration. Are you routing 0.0.0.0/0 or do you have a split tunnel setup.

2) Do you actually have a security rule that allows the traffic to/from GP zone to/from internal network that is being hit?

3) If you are not hitting the right security policies look in the log and see if you can even see the traffic. If you can't see the traffic then you have an Access Route config issue, if you can see the traffic in the log and it isn't hitting the rule that you expect then you are likely just configuring your security policy wrong or it doesn't 'make it down' to the rule that you want it to.

Re: VPN Client, Can't connect to internal zone?

searching1 — Sat, 11 Feb 2017 07:32:53 GMT

Hi,

Diagram:

VPN ZONE ----(tunel Interface)->(FW)<-----(L3)----- Internal Zone

1. 1.1.1.X (VPN Pool segment) 255.255.255.0 > tunnel interface

2.2.2.X (Internal segment) 255.255.255.0 > tunnel interface

2. Yes, there's a policy already and it's hitting the policy. the problem is when pinging from VPN Pool to Internal, Bytes sent increaase but Bytes out always 0 which theres no reply from the server or server can't reach the vpn client ip.

Thanks

Re: VPN Client, Can't connect to internal zone?

TranceforLife — Sun, 12 Feb 2017 18:11:58 GMT

Hi,

So when you NATing the VPN Zone > Internal Zone things are working fine? Try to do a ping or traceroute from the Internal > VPN Zone. See the traffic flow, check your routing.

Re: VPN Client, Can't connect to internal zone?

BenjAudy.MTL — Mon, 13 Feb 2017 00:00:36 GMT

You should do a packet capture on the server to see if it actually receives the packets and if anything is sent back. After that, do a packet capture on the firewall to see if it's receiving the response and if it's dropping it.

Benjamin

Re: VPN Client, Can't connect to internal zone?

BPry — Mon, 13 Feb 2017 17:14:20 GMT

I'm just harboring a guess here but that would seem to indicate that your return path either isn't allowed or the route back is misconfigured.