global protect ssl-vpn and accessing the internet - v4.1

Reply
Highlighted
Not applicable

global protect ssl-vpn and accessing the internet - v4.1

I have built access via global protect for remote users and all is working fine except that they cannot access the internet.

1. DNS is assigned (internal)

2. All internal network resources are accessable

3. accessable routes includes 0.0.0.0/32

Any ideas?

Thanks,

John

Highlighted
Not applicable

Re: global protect ssl-vpn and accessing the internet - v4.1

Two things. In the gateway client config set the access route to 0.0.0.0/0. That eliminates split tunnel.

Make sure there is a rule that allows the VPN zone to access the untrust zone.

Also a NAT rule to NAT VPN users like you do for the inside or trusted network.

Last thing, make sure VPN tunnel is part of the same virtual router as the outside layer 3 interface.

Thank for the info Geovanni Morales

Highlighted
L4 Transporter

Re: global protect ssl-vpn and accessing the internet - v4.1

I am running into this problem as well. I have the access route 0.0.0.0/0 configured. I have a security policy to allow traffic from my VPN zone to the untrust zone. I created a NAT policy identical to the one in place for traffic from untrust to trust with the exception being traffic is coming from the VPN zone. See the screen shots below. I only have one virtual router but how do I make sure it is part of the same outside layer 3 interface?

NAT Policy:

NAT Policies.png

Security Policies:

Security Policies.png

Access Route:

Access Route.png

Highlighted
L4 Transporter

Re: global protect ssl-vpn and accessing the internet - v4.1

I was able to figure out the problem. I believe the issue was related to my NAT policy and routing. My NAT policy was translating traffic to the IP address of the interface used for our primary ISP but routing it out the interface for our secondary ISP.

I have ISP failover setup using PBF for the primary ISP and a virtual route for the secondary ISP. The PBF routes traffic from my trust to untrust zones. (There aren't any PBF rules configured with the source zone my VPN is using so the firewall should check the virtual router next.) I have a default route setup on the virtual router that is used in the event the PBF primary ISP route fails. I also had another default route for traffic that should already be routing traffic via the previously mentioned PBF policy, just with a lower priority metric (probably shouldn't even be there). I believe the NAT policy was translating traffic to the primary ISP interface IP address but the virtual route with a higher priority metric was sending that traffic out the secondary ISP interface. I removed the second "default" route and created another PBF policy that routes traffic from my VPN zone to the primary ISP interface. Tested and works great now!

I hope this made sense.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!