Getting SSL-VPN clients to see internal servers

Reply
SoftwareMedia
Not applicable

Getting SSL-VPN clients to see internal servers

I am fairly new to configuring VPN's. I configured SSL-VPN using the wonderful guides found on this site and was able to log in with no problems. With the VPN active all of my traffic was routing out through my PaloAlto device perfectly I could surf the net all day with my traffic through the company IP address. When I try to talk to the servers on the internal network I can only see the two DNS servers I have configured under Network -> SSL-VPN. If I ping any other server on the internal network it resolves dns (obviously I can talk to the DNS servers) but the requests time out. I am certain I am missing something simple.

What do I need to change to be able to see more than just my DNS servers on the internal network from my VPN clients?

-Michael

Tags (2)

Accepted Solutions
kbrazil
L4 Transporter

Hi Michael,

A couple other things to check:

If the rest of the internal network is behind a router, make sure you have all of the network routes in the Virtual Router on the PAN.  If you don't see anything in the traffic log it's usually an indication that there is a lower-level routing issue.

Also, the PAN does not proxy-arp for the IP-Pool, so you will need to put a static route on your next-hop router with a destination of the IP-pool pointing back to the PAN.

It is especially important to use an IP pool that is on a separate subnet from the internal network if there is no next-hop router to the internal network so you can easily force routing to the IP-Pool.  Otherwise you are relying on ARPs, which the PAN does not do today for the IP-Pool.

Cheers,

Kelly

View solution in original post


All Replies
kbrazil
L4 Transporter

Hi Michael,

Depending on which Zone your Tunnel interface is assigned to, you may need to create a Security Policy to allow traffic to flow.  You would need a rule that allows traffic from that Zone to your internal network Zone.  It sounds like your Tunnel interface might be in your outside or "untrust" zone.

It's usually best to put your Tunnel interface on the internal network Zone (in which case you don't need policy to communicate with internal resources) or put the Tunnel interface into it's own VPN Zone. (in which case you will need policy)  The former is easier to configure and the latter is considered more secure.

Cheers,

Kelly

SoftwareMedia
Not applicable

Kelly,

Thanks for the quick reply.

Tunnel interface is in Zone: trust

To access VPN I have it configured to be a loopback interface of our untrust interface. I did this because our mail server is currently mapped to HTTPS on .122

Untrust interface is .122

loop back interface for VPN is .124

both in Untrust zone.

I setup a rule From: ANY To: ANY Source: VPN IP (172.16.1.0/24) From User: VPN Users

Connect to VPN and then ping yahoo.com. Look at Traffic logs and see


From: trust To: untrust Source 172.16.1.1 Destination: 209.191.93.53 User local:mauger Action: allow Rule: VPN Ingress I/F: tunnel Egress I/F eth 1/1

Ping one of the DNS servers I have configured in the SSL-VPN and look at Traffic logs I see

From: trust To: trust Source 172.16.1.1 Destination: 192.168.1.60 User local:mauger Action: allow Rule: VPN Ingress I/F: tunnel Egress I/F eth 1/2

Ping any server that is on the internal network that isn't a configured DNS server in the SSL-VPN and the requests time out.

I look at the traffic logs and see no traffic.

I set the VPN rule to Deny all traffic to Trust and I can no longer talk to the two DNS servers, I check traffic logs and I can see it deny all traffic to the two DNS servers. Traffic to any other server on the internal network still doesn't show up in the logs.

Not sure what I need to do.

-Michael

kbrazil
L4 Transporter

Hi Michael,

A couple other things to check:

If the rest of the internal network is behind a router, make sure you have all of the network routes in the Virtual Router on the PAN.  If you don't see anything in the traffic log it's usually an indication that there is a lower-level routing issue.

Also, the PAN does not proxy-arp for the IP-Pool, so you will need to put a static route on your next-hop router with a destination of the IP-pool pointing back to the PAN.

It is especially important to use an IP pool that is on a separate subnet from the internal network if there is no next-hop router to the internal network so you can easily force routing to the IP-Pool.  Otherwise you are relying on ARPs, which the PAN does not do today for the IP-Pool.

Cheers,

Kelly

View solution in original post

SoftwareMedia
Not applicable

Changed from 172.16.1.0/24 to 172.16.1.0/25. Solved all my problems.

Thank you!

Might consider modifying "How to Set Up and Configure SSL-VPN" doc @ https://live.paloaltonetworks.com/docs/DOC-1157

leole
L2 Linker

Actually, the 176.16.1.0/24 works for me. No need to modify.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!