- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-11-2010 04:26 PM
I am fairly new to configuring VPN's. I configured SSL-VPN using the wonderful guides found on this site and was able to log in with no problems. With the VPN active all of my traffic was routing out through my PaloAlto device perfectly I could surf the net all day with my traffic through the company IP address. When I try to talk to the servers on the internal network I can only see the two DNS servers I have configured under Network -> SSL-VPN. If I ping any other server on the internal network it resolves dns (obviously I can talk to the DNS servers) but the requests time out. I am certain I am missing something simple.
What do I need to change to be able to see more than just my DNS servers on the internal network from my VPN clients?
-Michael
02-12-2010 09:27 AM
Hi Michael,
A couple other things to check:
If the rest of the internal network is behind a router, make sure you have all of the network routes in the Virtual Router on the PAN. If you don't see anything in the traffic log it's usually an indication that there is a lower-level routing issue.
Also, the PAN does not proxy-arp for the IP-Pool, so you will need to put a static route on your next-hop router with a destination of the IP-pool pointing back to the PAN.
It is especially important to use an IP pool that is on a separate subnet from the internal network if there is no next-hop router to the internal network so you can easily force routing to the IP-Pool. Otherwise you are relying on ARPs, which the PAN does not do today for the IP-Pool.
Cheers,
Kelly
02-11-2010 05:07 PM
Hi Michael,
Depending on which Zone your Tunnel interface is assigned to, you may need to create a Security Policy to allow traffic to flow. You would need a rule that allows traffic from that Zone to your internal network Zone. It sounds like your Tunnel interface might be in your outside or "untrust" zone.
It's usually best to put your Tunnel interface on the internal network Zone (in which case you don't need policy to communicate with internal resources) or put the Tunnel interface into it's own VPN Zone. (in which case you will need policy) The former is easier to configure and the latter is considered more secure.
Cheers,
Kelly
02-12-2010 09:03 AM
Kelly,
Thanks for the quick reply.
Tunnel interface is in Zone: trust
To access VPN I have it configured to be a loopback interface of our untrust interface. I did this because our mail server is currently mapped to HTTPS on .122
Untrust interface is .122
loop back interface for VPN is .124
both in Untrust zone.
I setup a rule From: ANY To: ANY Source: VPN IP (172.16.1.0/24) From User: VPN Users
Connect to VPN and then ping yahoo.com. Look at Traffic logs and see
From: trust To: untrust Source 172.16.1.1 Destination: 209.191.93.53 User local:mauger Action: allow Rule: VPN Ingress I/F: tunnel Egress I/F eth 1/1
Ping one of the DNS servers I have configured in the SSL-VPN and look at Traffic logs I see
From: trust To: trust Source 172.16.1.1 Destination: 192.168.1.60 User local:mauger Action: allow Rule: VPN Ingress I/F: tunnel Egress I/F eth 1/2
Ping any server that is on the internal network that isn't a configured DNS server in the SSL-VPN and the requests time out.
I look at the traffic logs and see no traffic.
I set the VPN rule to Deny all traffic to Trust and I can no longer talk to the two DNS servers, I check traffic logs and I can see it deny all traffic to the two DNS servers. Traffic to any other server on the internal network still doesn't show up in the logs.
Not sure what I need to do.
-Michael
02-12-2010 09:27 AM
Hi Michael,
A couple other things to check:
If the rest of the internal network is behind a router, make sure you have all of the network routes in the Virtual Router on the PAN. If you don't see anything in the traffic log it's usually an indication that there is a lower-level routing issue.
Also, the PAN does not proxy-arp for the IP-Pool, so you will need to put a static route on your next-hop router with a destination of the IP-pool pointing back to the PAN.
It is especially important to use an IP pool that is on a separate subnet from the internal network if there is no next-hop router to the internal network so you can easily force routing to the IP-Pool. Otherwise you are relying on ARPs, which the PAN does not do today for the IP-Pool.
Cheers,
Kelly
02-14-2010 09:13 PM
Changed from 172.16.1.0/24 to 172.16.1.0/25. Solved all my problems.
Thank you!
Might consider modifying "How to Set Up and Configure SSL-VPN" doc @ https://live.paloaltonetworks.com/docs/DOC-1157
06-16-2010 09:23 AM
Actually, the 176.16.1.0/24 works for me. No need to modify.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!