11-08-2017 08:33 AM
Dear all,
I am looking for a way to get a site2site tunnel working between a Palo Alto with static public ip and a Palo Alto with a "dynamic" endpoint (public ip through dhcp)
The tunnel shows as status green in the GUI and also on CLI it shows up, but no traffic is passing. I found a how to through the Palo Alto pages, and I am using the User FQDN instead of ip peer address.
Do I need to use a proxy id between the 2 Palo Alto's or can I use static for the tunnel at both ends? Or perhaps both?
11-08-2017 01:57 PM
Hi Mate,
Check the traffic logs ?
is the traffic going down the tunnel when it should ?
have ye set a static route for the traffic thats needed to go down the tunnel?
Do you need nat traversal enabled?
Don't need the proxy id's. few links below should help ye research further.
dynamic dds can help when you don't have a static address.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535
cheers
Rob
11-09-2017 02:19 AM
Hello Rob,
I might have found the issue, as since the tunnels are basically inside to inside, the previous engineer didn't add a rule to allow zone internal/inside to internal/inside on the dynamic endpoint side/firewall. I will keep you posted.
Jeff.
11-10-2017 12:46 AM
IP connectivity worked between several locations with static public ip and the site with dynamic public ip, however internal websites weren't reachable, whilst the external just worked fine (and outlook). I could reach the laptop from the engineer through RDP, and also the management ip of the Palo Alto was reachable through the GUI. The Palo Alto didn't block any http or https. The Palo Alto has a dhcp pool and 2 dns entries to serve the internal network. The local engineer could also ping the 2 dns ip's.
Although close to a solution, our timewindow ran out, so i had to do a rollback to the PFSense 😞
Will keep u posted on the progress.
11-10-2017 07:29 AM
Hi @fortigatefan,
This should be a fairly straightforward configuration. It sounds like you were able to reach resources through the remote firewall, but the remote party was unable to access resources through your own firewall correct?
If that's the case you'll need to verify a couple things.
1) There is a security policy in place that actually allows the remote users to access your local resources through the tunnel on both your remote firewall and the local firewall. It sounds like you may have allowed the traffic through to the remote end, but you aren't allowing that remote end through the terminating firewall.
2) Have you tried reaching these internal sites strickly through IP instead of DNS? You may have allowed HTTP/HTTPS through the firewall, but if the remote locations DNS server doesn't know to point these users to your internal webserver then it's just going to send them out to the external website.
Adding a little bit of the configuration from both ends might help a little in further troubleshooting, but that's where I would start looking.
11-10-2017 07:54 AM
Hello BPry,
We have to postpone the migration 2 weeks, but I might be able to ask if we can install a spare laptop @ location to do some testing next time during the migration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
