Global Protect users unable to access internal resources

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect users unable to access internal resources

L1 Bithead

I have a new portal and gateway and I'm trying to get users to access internal resources.  I can see connections in the monitoring logs and get session end reason of either aged-out or n/a.  Internal resources are able to reach GP users so the traffic is flowing outbound correctly.  Somewhat new to PA and I'm thinking I'm missing a route or a NAT, something simple.  Any suggestions?

5 REPLIES 5

Cyber Elite
Cyber Elite

@jeff_mattson,

It sounds like you are missing a route as you stated. I'd looking at your routes and verify that your actually have that setup properly for your internal resources. I wouldn't suspect a NAT issue for this traffic in a generic network setup. 

I'm assuming I want to route to the interface (ethernet 1/8) with the assigned network that is behind that interface (10.100.0.0/24) and a next hop of none since it is directly connected.  Having this configured I am still not able to reach internal resources on that interface.  I am able to reach Internet resources.  Ideas?

L6 Presenter

@jeff_mattson Are you using different Security Zones for the internal, internet, and VPN interfaces. And are you using different routing tables for each?

 

Your GP Gateway is presumably attaching VPN-connected clients to a tunnel interface (Network->GP->Gateway->[config]->Agent->Tunnel Settings). Are you using the default routing table on that tunnel, or a secondary routing table (Network->Interfaces->Tunnel-<[tunnel]->Virtual Router)? If the routing tables are different, then you need to add routes to the source/destination routing tables for traffic to go in both directions. As an example:

Internal clients are in 10.100.0.0/24 on ethernet1/8, routing table "default"

VPN clients are in 192.168.32.0/24 on tunnel.999, routing table "WAN2"

 

Then in the routing tables you need "next vr" hops to jump to the alternate routing table (Network->Virtual Routers->[config]):

table default - desc="path to VPN clients", dest=192.168.32.0/24, type=next-vr, value=WAN2

table WAN2 - desc="path to internal clients", dest=10.100.0.0/24, type=next-vr, value=default

 

You don't put in standard interface/next-hop IP address routes when jumping between routing tables, because the destination interface doesn't exist within the current routing table.

I am using different Security Zones for the interfaces but only the default Virtual Router.  I'm assuming one routing table per VR instance giving me a single routing table. From your example above it appears I need another routing table/Virtual Router instance.  Is this possible with a single routing table?  How does Palo process the routing table?

L6 Presenter

In my setup (configured by someone different and now gone) I have 3 routing tables, a default and a routing table for each of 2 WAN interfaces, with the VPNs running on respective WANs. So each routing table needs respective routes. If you only have a single table then that is probably not it (but I don't have experience with that particular setup).

  • 4904 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!