Do I have a split - full tunnel issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Do I have a split - full tunnel issue

L3 Networker

I'm a system admin, and have also become the Network guy.  This is okay: it's a small network.  I'm still learning.

I have a PA-200, installed by a VAR, in a colocation rack.  Rack is filled with windows and linux hosts. 


I need to alter the VPN so that when my users in the office connect from their laptops, they can see the systems (ssh, rdp, https) in the rack, while at the same time being able to connect to the office printer, the internet, and so on.


Thanks in Advance,


Brian

1 accepted solution

Accepted Solutions

Hi Bdunbar,

If access route is 209.49.29.29/32, than GP client will not be able to access anything other than 209.49.29.29/32.

Regards,

Hardik Shah

View solution in original post

7 REPLIES 7

L7 Applicator

Hello Brian,

Could you please check the access route configuration in your GP gateway.

access-route.jpg

Related discussion: Re: Proper Way to allow Split-tunneling

Thanks

The easy way is use a full tunnel (access route 0.0.0.0/0) and control the access to the host and internet using security policies.

For example

From: specific_users to: DMZ Hosts_needed -> accept

From: All users to: Untrust ANY -> accept.

Also if you need both, you can follow the next guide.

Using Global Protect with One gateway and both split - full tunnel

L3 Networker

Please check if there are networks defined in access list. If yes, then you need to include the servers, printers ips there.

Important -  you also need security policy to allow the traffic.

e.g VPN zone to Trust allow access to <server ip>

Apologies for the delay - I'm a one-man IT department right now.

Access Routes: 209.49.29.29/32

access_route_sep_17.tiff

Hi Bdunbar,

If access route is 209.49.29.29/32, than GP client will not be able to access anything other than 209.49.29.29/32.

Regards,

Hardik Shah

Removed that value - and we're good.

I believe, now, that when the client PC logs into the VPN _all_ it's traffic is going to the colocation rack and using their internet.  So I still need to set up the split tunnel per the above link. 

And next up: the powers that be want to expand our use of the apps and services on the servers in that rack, so 'a client per machine' is now a legacy solution and I need to think about a dedicated VPN tunnel.  Joy!

But I feel a lot better about this: thanks.

Hi Bdunbar,

You can configure all Networks used in COLO in "Access Route".

So Internet traffic will flow through clients Internet circuit. and corporate traffic will flow through VPN tunnel.

Regards,

Hardik Shah

  • 1 accepted solution
  • 3768 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!