DNS external Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS external Global Protect

L4 Transporter

Good afternoon:

I hope you can help me with this, thank you very much in advance.

I have Global Protect configured as follows:

GP: IP pool 172.16.11.0/24
Split-tunnel Include: 192.100.11.0/24 ( Corporate LAN )
DNS assigned Global Protect: 8.8.8.8.8 and 4.2.2.2.2

Home LAN: 192.168.1.254 

Gateway/DNS Home LAN: 192.168.1.254

 

The connection works and operates correctly.

 

The issue is as follows:

Connected from a home with a typical modem internet outlet with ADLS, when connecting to the Global protect, I lose the internet connection, it does not resolve DNS.

To partially solve this, I had to create a SNAT policy with the GP zone and add a policy to allow it to output DNS queries to 8.8.8.8.8 and 4.2.2.2.2.

 

The question is because if I have the Split, only for the corporate network and configured not to lose access to the local network. I do not lose access, because I ping example to the Gateway of the house that is the 192.168.1.254 ( LAN network of the house 192.168.1.0/24 ) which in turn is the DNS, if I lose connectivity to the Internet and does not resolve the DNS. With the current configuration, without using neither policy nor nat, I should be able to resolve DNS with the home DNS and not have to do it through the global protect connection.
Please help if there is a way for all Internet traffic (DNS and all other traffic) to continue to occupy the home network where Global Protect is accessed and only for access to the corporate LAN (192.100.11.0/24) use the client vpn tunnel.

Thank you very much.

 

High Sticker
1 accepted solution

Accepted Solutions

Hi @Metgatz ,

 

I haven't noticed this before, but it seems that GlobalProtect will install host route for the DNS address pointing to the VPN tunnel. This somehow make sense, because it is making sure you can reach the DNS server that you have configured.

 

4.2.2.2.2 255.255.255.255 On link 172.16.11.3 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.3 1

 

If you plan to use public DNS servers when GP users are connected, you can simply configure the GlobalProtect to not send any DNS at all. That way any user will use local DNS settings.

 

View solution in original post

5 REPLIES 5

L7 Applicator

Hi @Metgatz 

How does the routing table look like when you are connected with global protect?

@Remo 

 

Thank you very much for your answer, help and support.

The requested. I clarify that I use PAN OS 10.0.6 Global Protect 5.2.7

Thanks

 

IPv4 Routing Table
===========================================================================
Active routes:
Network destination Network mask Network gateway Gateway MAC Interface
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.71 50
4.2.2.2.2 255.255.255.255 On link 172.16.11.4 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.4 1
127.0.0.0.0 255.0.0.0 On link 127.0.0.1 331
127.0.0.1 255.255.255.255.255 In link 127.0.0.1 331
127.255.255.255.255 255.255.255.255 On link 127.0.0.0.1 331
172.16.11.4 255.255.255.255.255 On link 172.16.11.4 257
187.170.88.208 255.255.255.255 192.168.1.254 192.168.1.71 50
192.100.11.0 255.255.255.255.0 On link 172.16.11.4 1
192.100.11.0 255 255.255.255.255.255 On link 172.16.11.4 257
192.168.1.0 255.255.255.255.0 On link 192.168.1.71 306
192.168.1.71 255.255.255.255.255 On link 192.168.1.71 306
192.168.1.1 255 255.255.255.255.255 On link 192.168.1.71 306

 

Global Protect Adapter:

 

Ethernet Ethernet Adapter 5:

Specific DNS suffix for the connection. . :
Description .... . . . . . . . . . . . . PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . . . . . . . : 02-50-41-00-00-01
DHCP enabled . . . . . . . . . . . . . . . . .
Automatic configuration enabled . . . . . : s¡
IPv4 address. . . . . . . . . . . . . . . . : 172.16.11.4 (Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . . . . : 1442992193
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-26-80-36-24-50-7B-9D-31-85-5B
DNS servers. . . . . . . . . . . . . . : 8.8.8.8
4.2.2.2
NetBIOS over TCP/IP . . . . . . . . . . . . ... : enabled

 

Wireless LAN Adapter:

 

Wi-Fi Wireless LAN Adapter:

Specific DNS suffix for the connection. . . : huawei.net
Description . . . . . . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
Physical Address. . . . . . . . . . . . . . . : 7C-7A-91-86-AC-13
DHCP enabled . . . . . . . . . . . . . . . : s¡
Automatic configuration enabled . . . . . : s¡
IPv6 address . . . . . . . . . . . . : 2806:105e:12:4fa2::3(Preferido)
Concession obtained. . . . . . . . . . . . . : Wednesday, August 11, 2021 2:25:15 PM
Concession expires . . . . . . . . . . . . . ... : Wednesday, August 11, 2021 17:25:15
IPv6 Address . . . . . . . . . . . . : 2806:105e:12:4fa2:f472:a71e:26c2:5fe8(Preferido)
IPv6 Address . . . . . . . . . . . . : fdc8:5195:ebe8:6300:f472:a71e:26c2:5fe8(Preferido)
Temporary IPv6 address. . . . . . : 2806:105e:12:4fa2:30b0:eb49:14aa:ee5b(Preferido)
Temporary IPv6 address. . . . . . : fdc8:5195:ebe8:6300:30b0:eb49:14aa:ee5b(Preferido)
Link: local IPv6 address. . . : fe80::f472:a71e:26c2:5fe8%18(Preferido)
IPv4 address. . . . . . . . . . . . . . . : 192.168.1.71 (Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.0
Concession obtained . . . . . . . . . . . . . ...: Wednesday, August 11, 2021 13:07:48 PM
Concession expires . . . . . . . . . . . . . . : thursday, 12 august 2021 14:25:12
Default gateway . . . . . . : fe80::1%18
192.168.1.254
DHCP server . . . . . . . . . . . . . . . : 192.168.1.254
IAID DHCPv6 . . . . . . . . . . . . . . . . : 293370513
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-26-80-36-24-50-7B-9D-31-85-5B
DNS servers. . . . . . . . . . . . . . : fe80::1%18
192.168.1.254
192.168.1.254
NetBIOS over TCP/IP. . . . . . . . . . . . . .



High Sticker

@Remo 

 

Thank you for your response.

The requested:

 

IPv4 Routing Table
===========================================================================
Active routes:
Network destination Network mask Network gateway Gateway MAC Interface
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 50
4.2.2.2.2 255.255.255.255 On link 172.16.11.3 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.3 1
127.0.0.0 255.0.0.0 255.0.0.0 On link 127.0.0.1 331
127.0.0.1 255.255.255.255.255 On link 127.0.0.1 331
127.255.255.255.255 255.255.255.255 On link 127.0.0.0.1 331
169.254.0.0 255.255.255.0.0 On link 169.254.51.247 281
169.254.51.247 255.255.255.255.255 In link 169.254.51.247 281
169.254.255.255.255 255 255.255.255.255 In link 169.254.51.247 281
172.16.11.3 255.255.255.255.255.255 On link 172.16.11.3 257
187.170.88.208 255.255.255.255 192.168.1.254 192.168.1.65 50
192.100.11.0 255.255.255.255.0 On link 172.16.11.3 1
192.100.11.0 255 255.255.255.255.255 On link 172.16.11.3 257
192.168.1.0 255.255.255.255.0 On link 192.168.1.65 306
192.168.1.65 255.255.255.255.255 On link 192.168.1.65 306
192.168.1.1 255 255.255.255.255.255 On link 192.168.1.65 306
192.168.126.0 255.255.255.255.0 On link 192.168.126.1 291
192.168.126.1 255.255.255.255.255 On link 192.168.126.1 291
192.168.126.1 255 255.255.255.255.255.255 On link 192.168.126.1 291

 

____________

 

Ethernet Ethernet 2 adapter:

Specific DNS suffix for the connection. . :
Description .... . . . . . . . . . . . . PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . . . . . . . : 02-50-41-00-00-01
DHCP enabled . . . . . . . . . . . . . . . . .
Automatic configuration enabled . . . . . : s¡
IPv4 address. . . . . . . . . . . . . . . . : 172.16.11.3 (Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . . . . : 218255425
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-27-D9-6E-F6-34-73-5A-CD-5D-BE
DNS servers. . . . . . . . . . . . . . : 8.8.8.8

 

__________________________

 

Wi-Fi wireless LAN adapter:

Specific DNS suffix for the connection. . : huawei.net
Description . . . . . . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz
Physical Address. . . . . . . . . . . . . . . : 50-2F-9B-40-BE-7E
DHCP enabled . . . . . . . . . . . . . . . : s¡
Automatic configuration enabled . . . . . : s¡
IPv6 address . . . . . . . . . . . . : 2806:105e:12:3f0f::2(Preferido)
Grant obtained. . . . . . . . . . . . . ...: Wednesday, August 11, 2021 07:23:00 p. m.
Concession expires . . . . . . . . . . . . : Wednesday, August 11, 2021 11:53:00 p. m.
IPv6 address. . . . . . . . . . . . : 2806:105e:12:3f0f:71e5:9435:f232:db1a(Preferido)
IPv6 Address . . . . . . . . . . . . : fdc8:5195:ebe8:6300:71e5:9435:f232:db1a(Preferido)
Temporary IPv6 address. . . . . . : 2806:105e:12:3f0f:2d73:da63:2c3f:47f4(Preferido)
Temporary IPv6 address. . . . . . : fdc8:5195:ebe8:6300:2d73:da63:2c3f:47f4(Preferido)
Link: local IPv6 address. . . : fe80::71e5:9435:f232:db1a%9(Preferido)
IPv4 address. . . . . . . . . . . . . . . : 192.168.1.65(Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.0
Concession obtained . . . . . . . . . . . . . ...: Wednesday, August 11, 2021 06:35:51 p. m.
Concession expires . . . . . . . . . . . . ...: Thursday, August 12, 2021 07:22:57 p. m.
Default gateway . . . . . . : fe80::1%9
192.168.1.254
DHCP server . . . . . . . . . . . . . . . : 192.168.1.254
IAID DHCPv6 . . . . . . . . . . . . . . . . : 122695579
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-27-D9-6E-F6-34-73-5A-CD-5D-BE
DNS servers. . . . . . . . . . . . . . : fe80::1%9
192.168.1.254
192.168.1.254
NetBIOS over TCP/IP. . . . . . . . . . . . ... : enabled

 

 

 

 

High Sticker

Hi @Metgatz ,

 

I haven't noticed this before, but it seems that GlobalProtect will install host route for the DNS address pointing to the VPN tunnel. This somehow make sense, because it is making sure you can reach the DNS server that you have configured.

 

4.2.2.2.2 255.255.255.255 On link 172.16.11.3 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.3 1

 

If you plan to use public DNS servers when GP users are connected, you can simply configure the GlobalProtect to not send any DNS at all. That way any user will use local DNS settings.

 

@aleksandar.astardzhiev 

Excellent, thank you very much.

I removed the public dns from the configuration and it resolves without problems, with the DNS assigned locally.

Thanks for the tips.

Regards

High Sticker
  • 1 accepted solution
  • 5354 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!