Global Protect on overlapping networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect on overlapping networks

L1 Bithead

Hello everybody!

I have a big problem with Global Protect and overlapping networks.

I make you an example.

-------------

My local network is 192.168.10.x

My Global Protect Network is 172.16.x.x

The external network has the same class of my local network

--------------

If I connect my lapton in any networks everything works good but if the network has the same class of my local network Global Protec Client on my laptop discover the "outside network" like extenal network (perfect thing) but if I try to access some service like webserver or Exchange I encounter connection error.

Can I resolve this specific situation? How?

Another think ... I can resolve and ping for example my internal DNS

Help me please ....

29 REPLIES 29

PS: the DNS is configured.

On your portal IP and external gateway IP, are the public or private IPs?

If they are private, do you have a NAT rule in place for them to resolve to?

We've got public IP

As I stated before, there is not a route on your vrouter for 192.168.10.x/24 with next hop being your internal gateway.  I would just make a mask 192.168.0.0/16 from your eth1/1 interface to the 192.168.10.253 address.

But the fact that your internal gateway IP and inside network gateway are on the same subnet could be an issue as well.

Ok. We've created the route like yours but it's nothing change.

I post you our internal gateway configuration. Certainly our internal configuration is wrong. I thought that an internal IP was a good choice to allow GP client recognize when are internal and when are external.

what do you think about?

The internal gateway should have an internal IP.  Only difference between your config and mine is that I use a physical interface for my internal gateway instead of a loopback.

But your issue is when you connect through your external gateway that you cannot access internal resources, is this correct?

Everything work perfect (internal and external) until I'm in an external network that have the same IP class of our. in this case I can only reach some IP.

Have you considered changing your IP scheme for your external gateway?  Or try creating a NAT rule that would resolve your IP mask to a different subnet.

Also, you could enter explicit access routes in your external gateway config.  Network->Gateways->"external gateway"->Client Configuration Tab->Access Routes, enter a generic subnet like 192.168.0.0/16.

Can you post me an example config?

This is very generic.  If your internal network is 192.168.x.x/x try making an access route as 192.0.0.0/8.

In this example, I used 10.0.0.0/8 as you can see in the picture.

The last test!

I've identificated the computer in the external network who have the same IP of my server in the internal network. Ok?

If I leave this computer connect to the network I can't reach my internal server from my notebook. If I disconnect this computer from the network I can connect to my server.

Why???

Is it a bug?

This is by design: if the GP client is located in a network that is identical to the one used in the VPN tunnel (let's call it localnet vs officenet) all traffic will be pushed into the tunnel

If the localnet is a subnet of officenet (so localnet/24 vs officenet/21) the more specific network will "win" the route so local resources remain reachable

In this case if there is an IP overlap where a local resource uses the same IP as a remote resource, the local resource will be reachable and the remote not.

In case of an identical subnet (/24 vs/24) remote resources will be available while local ones will not be

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Whit this detail I've tried to reduce the subnet of my local network and now everything work whit the route 0.0.0.0/0 and the reduced local network.

Thanks. I hope somobody correct/update the administrator guide ad specifying this detail.

Thanks again.

Daniele

  • 21420 Views
  • 29 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!