- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-11-2021 12:54 PM
Good afternoon:
I hope you can help me with this, thank you very much in advance.
I have Global Protect configured as follows:
GP: IP pool 172.16.11.0/24
Split-tunnel Include: 192.100.11.0/24 ( Corporate LAN )
DNS assigned Global Protect: 8.8.8.8.8 and 4.2.2.2.2
Home LAN: 192.168.1.254
Gateway/DNS Home LAN: 192.168.1.254
The connection works and operates correctly.
The issue is as follows:
Connected from a home with a typical modem internet outlet with ADLS, when connecting to the Global protect, I lose the internet connection, it does not resolve DNS.
To partially solve this, I had to create a SNAT policy with the GP zone and add a policy to allow it to output DNS queries to 8.8.8.8.8 and 4.2.2.2.2.
The question is because if I have the Split, only for the corporate network and configured not to lose access to the local network. I do not lose access, because I ping example to the Gateway of the house that is the 192.168.1.254 ( LAN network of the house 192.168.1.0/24 ) which in turn is the DNS, if I lose connectivity to the Internet and does not resolve the DNS. With the current configuration, without using neither policy nor nat, I should be able to resolve DNS with the home DNS and not have to do it through the global protect connection.
Please help if there is a way for all Internet traffic (DNS and all other traffic) to continue to occupy the home network where Global Protect is accessed and only for access to the corporate LAN (192.100.11.0/24) use the client vpn tunnel.
Thank you very much.
08-12-2021 01:23 AM
Hi @Metgatz ,
I haven't noticed this before, but it seems that GlobalProtect will install host route for the DNS address pointing to the VPN tunnel. This somehow make sense, because it is making sure you can reach the DNS server that you have configured.
4.2.2.2.2 255.255.255.255 On link 172.16.11.3 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.3 1
If you plan to use public DNS servers when GP users are connected, you can simply configure the GlobalProtect to not send any DNS at all. That way any user will use local DNS settings.
08-11-2021 01:13 PM
Hi @Metgatz
How does the routing table look like when you are connected with global protect?
08-11-2021 02:16 PM
Thank you very much for your answer, help and support.
The requested. I clarify that I use PAN OS 10.0.6 Global Protect 5.2.7
Thanks
IPv4 Routing Table
===========================================================================
Active routes:
Network destination Network mask Network gateway Gateway MAC Interface
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.71 50
4.2.2.2.2 255.255.255.255 On link 172.16.11.4 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.4 1
127.0.0.0.0 255.0.0.0 On link 127.0.0.1 331
127.0.0.1 255.255.255.255.255 In link 127.0.0.1 331
127.255.255.255.255 255.255.255.255 On link 127.0.0.0.1 331
172.16.11.4 255.255.255.255.255 On link 172.16.11.4 257
187.170.88.208 255.255.255.255 192.168.1.254 192.168.1.71 50
192.100.11.0 255.255.255.255.0 On link 172.16.11.4 1
192.100.11.0 255 255.255.255.255.255 On link 172.16.11.4 257
192.168.1.0 255.255.255.255.0 On link 192.168.1.71 306
192.168.1.71 255.255.255.255.255 On link 192.168.1.71 306
192.168.1.1 255 255.255.255.255.255 On link 192.168.1.71 306
Global Protect Adapter:
Ethernet Ethernet Adapter 5:
Specific DNS suffix for the connection. . :
Description .... . . . . . . . . . . . . PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . . . . . . . : 02-50-41-00-00-01
DHCP enabled . . . . . . . . . . . . . . . . .
Automatic configuration enabled . . . . . : s¡
IPv4 address. . . . . . . . . . . . . . . . : 172.16.11.4 (Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . . . . : 1442992193
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-26-80-36-24-50-7B-9D-31-85-5B
DNS servers. . . . . . . . . . . . . . : 8.8.8.8
4.2.2.2
NetBIOS over TCP/IP . . . . . . . . . . . . ... : enabled
Wireless LAN Adapter:
Wi-Fi Wireless LAN Adapter:
Specific DNS suffix for the connection. . . : huawei.net
Description . . . . . . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
Physical Address. . . . . . . . . . . . . . . : 7C-7A-91-86-AC-13
DHCP enabled . . . . . . . . . . . . . . . : s¡
Automatic configuration enabled . . . . . : s¡
IPv6 address . . . . . . . . . . . . : 2806:105e:12:4fa2::3(Preferido)
Concession obtained. . . . . . . . . . . . . : Wednesday, August 11, 2021 2:25:15 PM
Concession expires . . . . . . . . . . . . . ... : Wednesday, August 11, 2021 17:25:15
IPv6 Address . . . . . . . . . . . . : 2806:105e:12:4fa2:f472:a71e:26c2:5fe8(Preferido)
IPv6 Address . . . . . . . . . . . . : fdc8:5195:ebe8:6300:f472:a71e:26c2:5fe8(Preferido)
Temporary IPv6 address. . . . . . : 2806:105e:12:4fa2:30b0:eb49:14aa:ee5b(Preferido)
Temporary IPv6 address. . . . . . : fdc8:5195:ebe8:6300:30b0:eb49:14aa:ee5b(Preferido)
Link: local IPv6 address. . . : fe80::f472:a71e:26c2:5fe8%18(Preferido)
IPv4 address. . . . . . . . . . . . . . . : 192.168.1.71 (Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.0
Concession obtained . . . . . . . . . . . . . ...: Wednesday, August 11, 2021 13:07:48 PM
Concession expires . . . . . . . . . . . . . . : thursday, 12 august 2021 14:25:12
Default gateway . . . . . . : fe80::1%18
192.168.1.254
DHCP server . . . . . . . . . . . . . . . : 192.168.1.254
IAID DHCPv6 . . . . . . . . . . . . . . . . : 293370513
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-26-80-36-24-50-7B-9D-31-85-5B
DNS servers. . . . . . . . . . . . . . : fe80::1%18
192.168.1.254
192.168.1.254
NetBIOS over TCP/IP. . . . . . . . . . . . . .
08-11-2021 08:24 PM
Thank you for your response.
The requested:
IPv4 Routing Table
===========================================================================
Active routes:
Network destination Network mask Network gateway Gateway MAC Interface
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 50
4.2.2.2.2 255.255.255.255 On link 172.16.11.3 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.3 1
127.0.0.0 255.0.0.0 255.0.0.0 On link 127.0.0.1 331
127.0.0.1 255.255.255.255.255 On link 127.0.0.1 331
127.255.255.255.255 255.255.255.255 On link 127.0.0.0.1 331
169.254.0.0 255.255.255.0.0 On link 169.254.51.247 281
169.254.51.247 255.255.255.255.255 In link 169.254.51.247 281
169.254.255.255.255 255 255.255.255.255 In link 169.254.51.247 281
172.16.11.3 255.255.255.255.255.255 On link 172.16.11.3 257
187.170.88.208 255.255.255.255 192.168.1.254 192.168.1.65 50
192.100.11.0 255.255.255.255.0 On link 172.16.11.3 1
192.100.11.0 255 255.255.255.255.255 On link 172.16.11.3 257
192.168.1.0 255.255.255.255.0 On link 192.168.1.65 306
192.168.1.65 255.255.255.255.255 On link 192.168.1.65 306
192.168.1.1 255 255.255.255.255.255 On link 192.168.1.65 306
192.168.126.0 255.255.255.255.0 On link 192.168.126.1 291
192.168.126.1 255.255.255.255.255 On link 192.168.126.1 291
192.168.126.1 255 255.255.255.255.255.255 On link 192.168.126.1 291
____________
Ethernet Ethernet 2 adapter:
Specific DNS suffix for the connection. . :
Description .... . . . . . . . . . . . . PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . . . . . . . : 02-50-41-00-00-01
DHCP enabled . . . . . . . . . . . . . . . . .
Automatic configuration enabled . . . . . : s¡
IPv4 address. . . . . . . . . . . . . . . . : 172.16.11.3 (Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . . . . : 218255425
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-27-D9-6E-F6-34-73-5A-CD-5D-BE
DNS servers. . . . . . . . . . . . . . : 8.8.8.8
__________________________
Wi-Fi wireless LAN adapter:
Specific DNS suffix for the connection. . : huawei.net
Description . . . . . . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz
Physical Address. . . . . . . . . . . . . . . : 50-2F-9B-40-BE-7E
DHCP enabled . . . . . . . . . . . . . . . : s¡
Automatic configuration enabled . . . . . : s¡
IPv6 address . . . . . . . . . . . . : 2806:105e:12:3f0f::2(Preferido)
Grant obtained. . . . . . . . . . . . . ...: Wednesday, August 11, 2021 07:23:00 p. m.
Concession expires . . . . . . . . . . . . : Wednesday, August 11, 2021 11:53:00 p. m.
IPv6 address. . . . . . . . . . . . : 2806:105e:12:3f0f:71e5:9435:f232:db1a(Preferido)
IPv6 Address . . . . . . . . . . . . : fdc8:5195:ebe8:6300:71e5:9435:f232:db1a(Preferido)
Temporary IPv6 address. . . . . . : 2806:105e:12:3f0f:2d73:da63:2c3f:47f4(Preferido)
Temporary IPv6 address. . . . . . : fdc8:5195:ebe8:6300:2d73:da63:2c3f:47f4(Preferido)
Link: local IPv6 address. . . : fe80::71e5:9435:f232:db1a%9(Preferido)
IPv4 address. . . . . . . . . . . . . . . : 192.168.1.65(Preferred)
Subnet mask. . . . . . . . . . . . . . : 255.255.255.0
Concession obtained . . . . . . . . . . . . . ...: Wednesday, August 11, 2021 06:35:51 p. m.
Concession expires . . . . . . . . . . . . ...: Thursday, August 12, 2021 07:22:57 p. m.
Default gateway . . . . . . : fe80::1%9
192.168.1.254
DHCP server . . . . . . . . . . . . . . . : 192.168.1.254
IAID DHCPv6 . . . . . . . . . . . . . . . . : 122695579
DHCPv6 client DUID. . . . . . . . . . : 00-01-00-01-27-D9-6E-F6-34-73-5A-CD-5D-BE
DNS servers. . . . . . . . . . . . . . : fe80::1%9
192.168.1.254
192.168.1.254
NetBIOS over TCP/IP. . . . . . . . . . . . ... : enabled
08-12-2021 01:23 AM
Hi @Metgatz ,
I haven't noticed this before, but it seems that GlobalProtect will install host route for the DNS address pointing to the VPN tunnel. This somehow make sense, because it is making sure you can reach the DNS server that you have configured.
4.2.2.2.2 255.255.255.255 On link 172.16.11.3 1
8.8.8.8.8 255.255.255.255.255 On link 172.16.11.3 1
If you plan to use public DNS servers when GP users are connected, you can simply configure the GlobalProtect to not send any DNS at all. That way any user will use local DNS settings.
08-12-2021 11:29 AM
Excellent, thank you very much.
I removed the public dns from the configuration and it resolves without problems, with the DNS assigned locally.
Thanks for the tips.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!