topic Re: Access to Internal Web Site Through pfSense VPN in General Topics

Access to Internal Web Site Through pfSense VPN

JoeJackson — Thu, 24 Jun 2021 04:38:48 GMT

Hey Community:

I am in the process of rolling out GlobalProtect, but until I do, i have to continue to use a pfSense OpenVPN that was already in place before the Palo was deployed.

The problem I am running into when i connect to the pfSense VPN i cannot browse to a web server that sits on server 192.168.130.221. I can ping the host just appears that no TCP communications is allowed. I have also checked my policies and nothing in my findings is blocking it.

Setup:

PA-220; 192.168.130.1 <--------------------------->192.168.130.249: pfSense VPN Appliance, VPN clients are assigned an IP address from pool 10.31.253.0/25 network.

I can ping from a 10.31.253.x to the web host 192.168.130.221but I cannot browse to the website it is hosting, keep getting a timeout error. I also ran a packet capture and I can see that my web browse attempt is making it to the web server but the return traffic is getting dropped and I see resets.This same thing is happening to another web site that sits behind 192.168.31.224. Can ping it just not access it.

Re: Access to Internal Web Site Through pfSense VPN

Mick_Ball — Thu, 24 Jun 2021 05:16:14 GMT

Hmm not sure of your exact setup... what is the servers default gateway, if its the palo then do you have static route to the 10.x network via the other appliance... prob not much help but perhaps a sketch/doodle may help...

Re: Access to Internal Web Site Through pfSense VPN

JoeJackson — Thu, 24 Jun 2021 05:29:01 GMT

Thanks for your reply. The web server's gateway is the palo's IP of 192.168.130.1. Yes there is a route on the appliance to the 10.x.

To note, this all worked with the previous setup with a Meraki MX gateway which we replaced with the Palo. Again, i can ping all of these servers from the 10.x network so routing is working just fine, it has to be something at another level.

Re: Access to Internal Web Site Through pfSense VPN

Mick_Ball — Thu, 24 Jun 2021 07:55:36 GMT

Looks like asymmetric routing issue. Pfsense will see server local and go direct, server will see traffic from 10 address which is not local so will send to def gateway palo... palo prob drop cos never got a session start. Icmp works different so nobody really cares about sessions... you could nat 10 traffic to a 192 address, then server will reply back to pfs interface...

or add a static route on the server to 10.31.253.0/24 via GW 192.168.130.249.

i would prefer the NAT option as you may have several servers and will need to remove when PFS appliance is removed.

Re: Access to Internal Web Site Through pfSense VPN

JoeJackson — Thu, 24 Jun 2021 12:27:32 GMT

Thanks for your help. Your comment put me on the right path even though I did not use the solution you provided. The issue was with asymmetric routing and i confirmed this by doing a packet cap on the Palo and could see return traffic getting dropped.

What I ended up doing was applying a Zone Protection Profile to the LAN Zone that permitted Asymmetric routing. Once we have moved completely over to GlobalProtect, i will remove the ZPP from the LAN zone. Again, thank you for your help.