I have a new portal and gateway and I'm trying to get users to access internal resources. I can see connections in the monitoring logs and get session end reason of either aged-out or n/a. Internal resources are able to reach GP users so the traffic is flowing outbound correctly. Somewhat new to PA and I'm thinking I'm missing a route or a NAT, something simple. Any suggestions?
I'm assuming I want to route to the interface (ethernet 1/8) with the assigned network that is behind that interface (10.100.0.0/24) and a next hop of none since it is directly connected. Having this configured I am still not able to reach internal resources on that interface. I am able to reach Internet resources. Ideas?
@jeff_mattson Are you using different Security Zones for the internal, internet, and VPN interfaces. And are you using different routing tables for each?
Your GP Gateway is presumably attaching VPN-connected clients to a tunnel interface (Network->GP->Gateway->[config]->Agent->Tunnel Settings). Are you using the default routing table on that tunnel, or a secondary routing table (Network->Interfaces->Tunnel-<[tunnel]->Virtual Router)? If the routing tables are different, then you need to add routes to the source/destination routing tables for traffic to go in both directions. As an example:
Internal clients are in 10.100.0.0/24 on ethernet1/8, routing table "default"
VPN clients are in 192.168.32.0/24 on tunnel.999, routing table "WAN2"
Then in the routing tables you need "next vr" hops to jump to the alternate routing table (Network->Virtual Routers->[config]):
table default - desc="path to VPN clients", dest=192.168.32.0/24, type=next-vr, value=WAN2
table WAN2 - desc="path to internal clients", dest=10.100.0.0/24, type=next-vr, value=default
You don't put in standard interface/next-hop IP address routes when jumping between routing tables, because the destination interface doesn't exist within the current routing table.
I am using different Security Zones for the interfaces but only the default Virtual Router. I'm assuming one routing table per VR instance giving me a single routing table. From your example above it appears I need another routing table/Virtual Router instance. Is this possible with a single routing table? How does Palo process the routing table?
In my setup (configured by someone different and now gone) I have 3 routing tables, a default and a routing table for each of 2 WAN interfaces, with the VPNs running on respective WANs. So each routing table needs respective routes. If you only have a single table then that is probably not it (but I don't have experience with that particular setup).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!