Accessing all company networks with GlobalProtect client

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Accessing all company networks with GlobalProtect client

Hi!

Basic info:

PA-500 (software version 5.0.7)

Main location network: 10.10.1.0/24

Branch location network: 192.168.1.0/24

GlobalProtect client IP pool: 10.10.3.10 - 10.10.3.254

We have main location network and branch location network connected thru IPSec VPN. Our PA-500 is located on main location and handles GlobalProtect clients connections. When we connect thru GlobalProtect client, we are able to access only main location network, but cannot access branch network. How to configure that? By adding another proxy ID to IPSec tunnel? (local: 10.10.3.0/24, remote: 192.168.1.0/24 in main location and vice versa on branch location)

Thanks!


Accepted Solutions
Highlighted
L4 Transporter

Hello kpv,

So I understand from your description that only the Branch location network is inaccessible by the GP users.

Do you have,

1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)

2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.

3. Return route/access from branch network to the GP subnet on the Peer side.

Thanks,

Aditi

View solution in original post


All Replies
Highlighted
L6 Presenter

What did you configure for access route ? (Global Protect configuration)

Highlighted
L1 Bithead

Access route:

10.10.1.0/24

192.168.1.0/24

And i forgot to tell before: I don't know what appliance is at the other end of tunnel (main - branch). Someone else will configure that one.

Highlighted
Not applicable

Do you have set route on Branch location to Main location as well?

Know as back route.

Highlighted
L1 Bithead

Can't tell, have no access to appliance. But VPN works fine: main - brunch.

Highlighted
Not applicable

VPN can works as is independent on route.

Steps:

create VPN

set route

set security rules

Highlighted
L6 Presenter

Then you just need a source NAT rule.

(if you have security rule)

Write a NAT rule for source address 10.10.3.10 - 10.10.3.254 and also select zone, destination zone as branch and source NAT dynamic ip port / interface select Main Location interface.

Then you should access to branch without problem.

Highlighted
L1 Bithead

Thanks for now. I will look into security and will be back.

Highlighted
L4 Transporter

Hello kpv,

So I understand from your description that only the Branch location network is inaccessible by the GP users.

Do you have,

1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)

2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.

3. Return route/access from branch network to the GP subnet on the Peer side.

Thanks,

Aditi

View solution in original post

Highlighted
L3 Networker

Was just having the same problem.  Turned out to be a return route as apasupulati suggested in item #3 of his post. Similar setup here in this post: Client VPN traffic and routing over IPsec Tunnel

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!