- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-11-2011 06:20 AM
Hello everybody!
I have a big problem with Global Protect and overlapping networks.
I make you an example.
-------------
My local network is 192.168.10.x
My Global Protect Network is 172.16.x.x
The external network has the same class of my local network
--------------
If I connect my lapton in any networks everything works good but if the network has the same class of my local network Global Protec Client on my laptop discover the "outside network" like extenal network (perfect thing) but if I try to access some service like webserver or Exchange I encounter connection error.
Can I resolve this specific situation? How?
Another think ... I can resolve and ping for example my internal DNS
Help me please ....
10-12-2011 07:13 AM
PS: the DNS is configured.
10-12-2011 07:20 AM
On your portal IP and external gateway IP, are the public or private IPs?
If they are private, do you have a NAT rule in place for them to resolve to?
10-12-2011 07:26 AM
As I stated before, there is not a route on your vrouter for 192.168.10.x/24 with next hop being your internal gateway. I would just make a mask 192.168.0.0/16 from your eth1/1 interface to the 192.168.10.253 address.
10-12-2011 07:29 AM
But the fact that your internal gateway IP and inside network gateway are on the same subnet could be an issue as well.
10-12-2011 07:38 AM
Ok. We've created the route like yours but it's nothing change.
I post you our internal gateway configuration. Certainly our internal configuration is wrong. I thought that an internal IP was a good choice to allow GP client recognize when are internal and when are external.
what do you think about?
10-12-2011 07:42 AM
The internal gateway should have an internal IP. Only difference between your config and mine is that I use a physical interface for my internal gateway instead of a loopback.
But your issue is when you connect through your external gateway that you cannot access internal resources, is this correct?
10-12-2011 07:50 AM
Everything work perfect (internal and external) until I'm in an external network that have the same IP class of our. in this case I can only reach some IP.
10-12-2011 08:03 AM
Have you considered changing your IP scheme for your external gateway? Or try creating a NAT rule that would resolve your IP mask to a different subnet.
10-12-2011 08:15 AM
Also, you could enter explicit access routes in your external gateway config. Network->Gateways->"external gateway"->Client Configuration Tab->Access Routes, enter a generic subnet like 192.168.0.0/16.
10-12-2011 08:18 AM
Can you post me an example config?
10-12-2011 12:09 PM
The last test!
I've identificated the computer in the external network who have the same IP of my server in the internal network. Ok?
If I leave this computer connect to the network I can't reach my internal server from my notebook. If I disconnect this computer from the network I can connect to my server.
Why???
Is it a bug?
10-17-2011 03:28 AM
This is by design: if the GP client is located in a network that is identical to the one used in the VPN tunnel (let's call it localnet vs officenet) all traffic will be pushed into the tunnel
If the localnet is a subnet of officenet (so localnet/24 vs officenet/21) the more specific network will "win" the route so local resources remain reachable
In this case if there is an IP overlap where a local resource uses the same IP as a remote resource, the local resource will be reachable and the remote not.
In case of an identical subnet (/24 vs/24) remote resources will be available while local ones will not be
10-17-2011 04:14 AM
Whit this detail I've tried to reduce the subnet of my local network and now everything work whit the route 0.0.0.0/0 and the reduced local network.
Thanks. I hope somobody correct/update the administrator guide ad specifying this detail.
Thanks again.
Daniele
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!