04-15-2019 01:43 AM - edited 04-15-2019 01:49 AM
The Gateway/Portal of my setup works fine.
It's routing I think that's not working.
I just want a client over GP to hit local networks off the PANOS.
IP Pool and access routes that been defined, work just fine .. I can see client has been bestowed these when it connects..
What's the basic setup from a routing perspective ?
- I set up a tunnel.## interface, and default vr, and assign the GP gateway to it
- I add the tunnel.## to zone of 'untrust'
- I add a static route under vr's (even though I read an article that routes are automatically added for this ? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluKCAS) where the IP pool assigned in the Client Config of Gateway is pointed to tunnel.##.. no next hop IP defined.
- NAT perhaps is my issue ? I need an exempt ? Where source zone is trust and destination zone is untrust and destination interface is tunnel.## ? I did this.. still no go..
04-15-2019 07:09 PM
Buh.. it was a sec policy.. even though I had an implicit deny log start and end. I never saw the traffic in monitor.
But adding a sec pol worked.. Go figure..
04-15-2019 05:59 AM
@mpgioia wrote:I just want a client over GP to hit local networks off the PANOS.
Did you configure routes in your internal network that route the GP IP pool to the firewall? When you try ro reach something in your internal network what does the log show you - are there sessions with 0 byter received?
(I don't know if this does cause any problems but the static route that you configured for the IP pool with the tunnel interface as destination I would remove as it is really not necessary)
04-15-2019 05:40 PM - edited 04-15-2019 06:00 PM
UPDATE.. sourced from inside the networks attached to PANOS.. I can reach the VPN client.
But the other way.. sourcing from PANGP client .. I can't get in.
Which,
a. means routing is fine
b. I can see in a traceroute from PANGP client I get nothing from next hop of gateway.. and the 'Access Routes' are working/inplace so I should get to the CIDR via the PANGP gateway address assigned..
04-15-2019 07:09 PM
Buh.. it was a sec policy.. even though I had an implicit deny log start and end. I never saw the traffic in monitor.
But adding a sec pol worked.. Go figure..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
