Global Protect on overlapping networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect on overlapping networks

L1 Bithead

Hello everybody!

I have a big problem with Global Protect and overlapping networks.

I make you an example.

-------------

My local network is 192.168.10.x

My Global Protect Network is 172.16.x.x

The external network has the same class of my local network

--------------

If I connect my lapton in any networks everything works good but if the network has the same class of my local network Global Protec Client on my laptop discover the "outside network" like extenal network (perfect thing) but if I try to access some service like webserver or Exchange I encounter connection error.

Can I resolve this specific situation? How?

Another think ... I can resolve and ping for example my internal DNS

Help me please ....

1 accepted solution

Accepted Solutions

This is by design: if the GP client is located in a network that is identical to the one used in the VPN tunnel (let's call it localnet vs officenet) all traffic will be pushed into the tunnel

If the localnet is a subnet of officenet (so localnet/24 vs officenet/21) the more specific network will "win" the route so local resources remain reachable

In this case if there is an IP overlap where a local resource uses the same IP as a remote resource, the local resource will be reachable and the remote not.

In case of an identical subnet (/24 vs/24) remote resources will be available while local ones will not be

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

29 REPLIES 29

L3 Networker

You are hitting your external gateway fine, but are unable to access internal resources?  Is this correct?

A couple places to look for a problem.

  • Check to make sure that you have a security rule in place from inside to outside with your IP range for the GP pool. And vice versa.
  • Check that you have a route in place on your vrouter to allow you to stay inside once you have connected to the GP client.

Could you upload images of your vrouter and interfaces?

Also, make sure that your IP pool that you are assigning clients from GP is not the same network as your internal resources.  It has to be something different.

Yes ... but only some address. For Example the DNS server works good.

I think I've find the error. I've missed the Access Route in Gateway configuration.

That'll do it.  Let me know if that fixes it.  If you just enter 0.0.0.0 in the access routes for the Gateway, that will take care of it.

If I use 0.0.0.0/0 or leave everything blank I have the overlapping problem.

If I submit my network class everything works but I cannot block for example the web-browsing because I bypass my firewall for navigation.

Does your vrouter have a route to internal resources?

Do you mean I have to create I single route for I single resource in VR?

No not necessarily.  For instance, I have 2 rules on my Vrouter for 172 and 192 addresses that point them from my external interface to my internal gateway.

Here is what my vrouter looks like:

Tomorrow I'm going to try your solution. I give you a feedback asap

Here I'm!

After a morning of test these are the results:

First of all we've updated the firmware at 4.0.5.

After that we've made a test with our client on external network. The result is not good!

Example:

We are on external network (class: 192.168.10.x/24) and try to connect trought GP at our network (same class but /21). We can ping and reach some IP but not all! For example the Exchange server not respond.

I attach the route create by GP client on external notebook and our VR

According to your schemata pic, there is not a route in there for 192.168.10.x/24.  Honestly, I would remove all of the routes that you have for all of your 192 addresses and just make the route state 192.168.0.0/16 to your gateway.  That way anything coming from 192.168 routes to the gateway.

Another thing to check would be to make sure that all of your internal DNS issues can resolve.  I.E. in your external gateway config do you have the addresses of your DNS servers entered and a DNS suffix?

Also, could you show screen shots of your portal and gateway config?

Yes ...

  • 1 accepted solution
  • 19214 Views
  • 29 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!