Accessing all company networks with GlobalProtect client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Accessing all company networks with GlobalProtect client

L1 Bithead

Hi!

Basic info:

PA-500 (software version 5.0.7)

Main location network: 10.10.1.0/24

Branch location network: 192.168.1.0/24

GlobalProtect client IP pool: 10.10.3.10 - 10.10.3.254

We have main location network and branch location network connected thru IPSec VPN. Our PA-500 is located on main location and handles GlobalProtect clients connections. When we connect thru GlobalProtect client, we are able to access only main location network, but cannot access branch network. How to configure that? By adding another proxy ID to IPSec tunnel? (local: 10.10.3.0/24, remote: 192.168.1.0/24 in main location and vice versa on branch location)

Thanks!

1 accepted solution

Accepted Solutions

L4 Transporter

Hello kpv,

So I understand from your description that only the Branch location network is inaccessible by the GP users.

Do you have,

1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)

2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.

3. Return route/access from branch network to the GP subnet on the Peer side.

Thanks,

Aditi

View solution in original post

9 REPLIES 9

L6 Presenter

What did you configure for access route ? (Global Protect configuration)

Access route:

10.10.1.0/24

192.168.1.0/24

And i forgot to tell before: I don't know what appliance is at the other end of tunnel (main - branch). Someone else will configure that one.

Do you have set route on Branch location to Main location as well?

Know as back route.

Can't tell, have no access to appliance. But VPN works fine: main - brunch.

VPN can works as is independent on route.

Steps:

create VPN

set route

set security rules

Then you just need a source NAT rule.

(if you have security rule)

Write a NAT rule for source address 10.10.3.10 - 10.10.3.254 and also select zone, destination zone as branch and source NAT dynamic ip port / interface select Main Location interface.

Then you should access to branch without problem.

Thanks for now. I will look into security and will be back.

L4 Transporter

Hello kpv,

So I understand from your description that only the Branch location network is inaccessible by the GP users.

Do you have,

1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)

2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.

3. Return route/access from branch network to the GP subnet on the Peer side.

Thanks,

Aditi

Was just having the same problem.  Turned out to be a return route as apasupulati suggested in item #3 of his post. Similar setup here in this post: Client VPN traffic and routing over IPsec Tunnel

  • 1 accepted solution
  • 5061 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!