Basic GP routing/NAT/policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Basic GP routing/NAT/policy

L1 Bithead

The Gateway/Portal of my setup works fine.

It's routing I think that's not working.

 

I just want a client over GP to hit local networks off the PANOS. 

IP Pool and access routes that been defined, work just fine .. I can see client has been bestowed these when it connects.. 

 

What's the basic setup from a routing perspective ?

- I set up a tunnel.## interface, and default vr, and assign the GP gateway to it

- I add the tunnel.## to zone of 'untrust'

- I add a static route under vr's (even though I read an article that routes are automatically added for this ? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluKCAS) where the IP pool assigned in the Client Config of Gateway is pointed to tunnel.##.. no next hop IP defined.

- NAT perhaps is my issue ? I need an exempt ?  Where source zone is trust and destination zone is untrust and destination interface is tunnel.## ?  I did this.. still no go.. 

1 accepted solution

Accepted Solutions

Buh.. it was a sec policy.. even though I had an implicit deny log start and end.  I never saw the traffic in monitor.

But adding a sec pol worked.. Go figure.. 

View solution in original post

4 REPLIES 4

L7 Applicator

@mpgioia wrote:

I just want a client over GP to hit local networks off the PANOS. 


Did you configure routes in your internal network that route the GP IP pool to the firewall? When you try ro reach something in your internal network what does the log show you - are there sessions with 0 byter received?

 

(I don't know if this does cause any problems but the static route that you configured for the IP pool with the tunnel interface as destination I would remove as it is really not necessary)

@Remo 

I see nothing in 'Monitor' -> 'Traffic'.. 

 

But going back to my list of steps.. seems right ?

UPDATE.. sourced from inside the networks attached to PANOS.. I can reach the VPN client. 

But the other way.. sourcing from PANGP client .. I can't get in.  

 

Which,

a. means routing is fine

b. I can see in a traceroute from PANGP client I get nothing from next hop of gateway.. and the 'Access Routes' are working/inplace so I should get to the CIDR via the PANGP gateway address assigned.. 

Buh.. it was a sec policy.. even though I had an implicit deny log start and end.  I never saw the traffic in monitor.

But adding a sec pol worked.. Go figure.. 

  • 1 accepted solution
  • 6022 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!