I'm trying to do something and i'm not really sure if it's possible. Let's get into...
I have an url that is for example: "www.myweb.com". Our partner is hosting that web and with his firewall is just allowing us the access through our IP WAN.
Everything works fine, we can access, but the problem comes when we tried to do it through our VPN (globalprotect). Our clients going through the VPN are not having the same IP WAN so our partner firewall is blocking it and obviously they cannot allow all traffic.
I'm just trying to think in a solution but my mind is blocked. Any suggestions?
you can define a policy based routing rule to route traffic through another firewall interface for that specific address.
In addition to that, you will need another Hide-NAT rule to use the other public IP for that session.
If the other public IP is not managed by the VPN-Palo Alto, you need to route that traffic (with PBF) to the other gateway.
I defined a pbf rule to route the traffic for the object "globalprotect clients" to one of my interfaces (the one that my partner allowed in his firewall). Also i defined a nat rule doing the same but when i connect the globalprotect client is not routing the traffic where i want. It routes the traffic through my carrier o wherever i'm connected to.
I don't know if this is what you meant, if not, i think i didn't understand really well you solution.
Thank you for your support though.
I made a little quick diagram to help:
So, what i did is:
- I defined a nat rule where the source is the object GlobalProtect Clients ( 10.10.10.0/24) and the source translation (dynamic ip and port) the interface wan ( eth1/1 - 188.8.131.52)
- I also defined a pbf rule where the source is the object GlobalProtect Clients (10.10.10.0/24) and the next hop is the GW of the IP pool where 184.108.40.206 is included.
My problem is that people connected through GlobalProtect client is using the wan that the carrier is giving them so they cannot access to the website i want due to the security rule that my partner company defined only allowing traffic from my interface WAN 220.127.116.11.
I was thinking in the globalprotect configuration, in the split tunnel conf, include the IP of my partner server where the website is hosted but that won't work due to the dynamic Ips.
I've tried to explain myself the best i can sorry if something does not make sense to you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!