topic Re: Basic GP routing/NAT/policy in General Topics

Basic GP routing/NAT/policy

Retired Member — Mon, 15 Apr 2019 08:49:38 GMT

The Gateway/Portal of my setup works fine.

It's routing I think that's not working.

I just want a client over GP to hit local networks off the PANOS.

IP Pool and access routes that been defined, work just fine .. I can see client has been bestowed these when it connects..

What's the basic setup from a routing perspective ?

- I set up a tunnel.## interface, and default vr, and assign the GP gateway to it

- I add the tunnel.## to zone of 'untrust'

- I add a static route under vr's (even though I read an article that routes are automatically added for this ? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluKCAS) where the IP pool assigned in the Client Config of Gateway is pointed to tunnel.##.. no next hop IP defined.

- NAT perhaps is my issue ? I need an exempt ? Where source zone is trust and destination zone is untrust and destination interface is tunnel.## ? I did this.. still no go..

Re: Basic GP routing/NAT/policy

Remo — Mon, 15 Apr 2019 12:59:21 GMT

@Retired Member wrote:
I just want a client over GP to hit local networks off the PANOS.

Did you configure routes in your internal network that route the GP IP pool to the firewall? When you try ro reach something in your internal network what does the log show you - are there sessions with 0 byter received?

(I don't know if this does cause any problems but the static route that you configured for the IP pool with the tunnel interface as destination I would remove as it is really not necessary)

Re: Basic GP routing/NAT/policy

Retired Member — Tue, 16 Apr 2019 00:11:38 GMT

@Remo

I see nothing in 'Monitor' -> 'Traffic'..

But going back to my list of steps.. seems right ?

Re: Basic GP routing/NAT/policy

Retired Member — Tue, 16 Apr 2019 01:00:14 GMT

UPDATE.. sourced from inside the networks attached to PANOS.. I can reach the VPN client.

But the other way.. sourcing from PANGP client .. I can't get in.

Which,

a. means routing is fine

b. I can see in a traceroute from PANGP client I get nothing from next hop of gateway.. and the 'Access Routes' are working/inplace so I should get to the CIDR via the PANGP gateway address assigned..

Re: Basic GP routing/NAT/policy

Retired Member — Tue, 16 Apr 2019 02:09:47 GMT

Buh.. it was a sec policy.. even though I had an implicit deny log start and end. I never saw the traffic in monitor.

But adding a sec pol worked.. Go figure..