Global Protect - External IP as source in VPN tunnel

Reply
sitecore
Not applicable

Global Protect - External IP as source in VPN tunnel

Hello PAN.

Trying to figure out why my connection on the VPN client was behaving a bit sporadic I noticed that *some* of the traffic send to the firewall from my GPA was using source IP = my client public IP, rather than my client private IP.

So. Some traffic is send with source IP = public IP, some traffic is being send with source IP = vpn IP.

VPN client i is tunnel mode, where only traffic to internal systems are being send to the firewall.

How can we make sure that tunnel traffic is only using source IP = vpn IP (so that it doesn't get dropped on the firewall) ?

Thanks

Jørgen

rmonvon
L6 Presenter

Hi...The remote client should be NAT'ed to one of the IPs in the VPN's ip pool if the traffic is going thru the VPN tunnel.  The VPN tunnel should be on a different zone than the public external zone.  Please take a look at the traffic log and check the src zone.

If you still need help, please open a case with Support.  Thanks.

sitecore
Not applicable

Yes - it *should* NAT with the VPN IP. But if I log dropped traffic on the firewall I see:

Inbound interface = VPN Tunnel interface

Source zone = our VPN zone

Source IP = my public IP

Destination zone = our internal zone (any of them :) )

Destination IP = internal IP

So it is certainly not NAT'ing *all* the traffic. It's a bit of both - which of course cannot be good for performence.

Br

Jørgen

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!