I'm trying to do something and i'm not really sure if it's possible. Let's get into...
I have an url that is for example: "www.myweb.com". Our partner is hosting that web and with his firewall is just allowing us the access through our IP WAN.
Everything works fine, we can access, but the problem comes when we tried to do it through our VPN (globalprotect). Our clients going through the VPN are not having the same IP WAN so our partner firewall is blocking it and obviously they cannot allow all traffic.
I'm just trying to think in a solution but my mind is blocked. Any suggestions?
Solved! Go to Solution.
you can define a policy based routing rule to route traffic through another firewall interface for that specific address.
In addition to that, you will need another Hide-NAT rule to use the other public IP for that session.
If the other public IP is not managed by the VPN-Palo Alto, you need to route that traffic (with PBF) to the other gateway.
I defined a pbf rule to route the traffic for the object "globalprotect clients" to one of my interfaces (the one that my partner allowed in his firewall). Also i defined a nat rule doing the same but when i connect the globalprotect client is not routing the traffic where i want. It routes the traffic through my carrier o wherever i'm connected to.
I don't know if this is what you meant, if not, i think i didn't understand really well you solution.
Thank you for your support though.
@PedroPablo: okay, I don't know your network setup, but maybe you can upload a small network topology with your network, interfaces, ip's and routes - then we can try to help you with the routing issue
I made a little quick diagram to help:
So, what i did is:
- I defined a nat rule where the source is the object GlobalProtect Clients ( 10.10.10.0/24) and the source translation (dynamic ip and port) the interface wan ( eth1/1 - 22.214.171.124)
- I also defined a pbf rule where the source is the object GlobalProtect Clients (10.10.10.0/24) and the next hop is the GW of the IP pool where 126.96.36.199 is included.
My problem is that people connected through GlobalProtect client is using the wan that the carrier is giving them so they cannot access to the website i want due to the security rule that my partner company defined only allowing traffic from my interface WAN 188.8.131.52.
I was thinking in the globalprotect configuration, in the split tunnel conf, include the IP of my partner server where the website is hosted but that won't work due to the dynamic Ips.
I've tried to explain myself the best i can sorry if something does not make sense to you.
I have define some routes of some branch offices that i need my GP clients to access to. I was thinking to define routes to access the servers where the website is hosted at but with dynamic IPs is not gonna work. :(
First of all, thank you for your help.
I tried that before, but i can't include the address object with the target-website-fqdn.
It's like the fw just let me include objects with IP addresses because when i'm going to include the object with the fqnd i can't see it
@PedroPablo: in the client-settings where you configure the ip-routes. There is a second tab with domain and application.
There you can say sample.com with port 443 will be routed through the tunnel. that doen't work?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!