topic Re: Do I have a split - full tunnel issue in General Topics

Do I have a split - full tunnel issue

bdunbar — Tue, 26 Aug 2014 21:33:47 GMT

I'm a system admin, and have also become the Network guy. This is okay: it's a small network. I'm still learning.

I have a PA-200, installed by a VAR, in a colocation rack. Rack is filled with windows and linux hosts.

I need to alter the VPN so that when my users in the office connect from their laptops, they can see the systems (ssh, rdp, https) in the rack, while at the same time being able to connect to the office printer, the internet, and so on.

Thanks in Advance,

Brian

Re: Do I have a split - full tunnel issue

HULK — Tue, 26 Aug 2014 22:08:53 GMT

Hello Brian,

Could you please check the access route configuration in your GP gateway.

Related discussion: Re: Proper Way to allow Split-tunneling

Thanks

Re: Do I have a split - full tunnel issue

GLastra — Mon, 08 Sep 2014 22:33:20 GMT

The easy way is use a full tunnel (access route 0.0.0.0/0) and control the access to the host and internet using security policies.

For example

From: specific_users to: DMZ Hosts_needed -> accept

From: All users to: Untrust ANY -> accept.

Also if you need both, you can follow the next guide.

Using Global Protect with One gateway and both split - full tunnel

Re: Do I have a split - full tunnel issue

ukhapre — Tue, 09 Sep 2014 00:17:52 GMT

Please check if there are networks defined in access list. If yes, then you need to include the servers, printers ips there.

Important - you also need security policy to allow the traffic.

e.g VPN zone to Trust allow access to <server ip>

Re: Do I have a split - full tunnel issue

bdunbar — Wed, 17 Sep 2014 18:19:17 GMT

Apologies for the delay - I'm a one-man IT department right now.

Access Routes: 209.49.29.29/32

Re: Do I have a split - full tunnel issue

hshah — Wed, 17 Sep 2014 19:39:51 GMT

Hi Bdunbar,

If access route is 209.49.29.29/32, than GP client will not be able to access anything other than 209.49.29.29/32.

Regards,

Hardik Shah

Re: Do I have a split - full tunnel issue

bdunbar — Wed, 17 Sep 2014 20:02:08 GMT

Removed that value - and we're good.

I believe, now, that when the client PC logs into the VPN _all_ it's traffic is going to the colocation rack and using their internet. So I still need to set up the split tunnel per the above link.

And next up: the powers that be want to expand our use of the apps and services on the servers in that rack, so 'a client per machine' is now a legacy solution and I need to think about a dedicated VPN tunnel. Joy!

But I feel a lot better about this: thanks.

Re: Do I have a split - full tunnel issue

hshah — Wed, 17 Sep 2014 20:09:50 GMT

Hi Bdunbar,

You can configure all Networks used in COLO in "Access Route".

So Internet traffic will flow through clients Internet circuit. and corporate traffic will flow through VPN tunnel.

Regards,

Hardik Shah