ISSUE WITH GLOBAL PROTECT

Reply
mbeghdadi
L2 Linker

ISSUE WITH GLOBAL PROTECT

We have configured One VR-1 only

Ethernet 1/1 is a WAN interface

Ethernet 1/2 is a WAN interface

Ethernet 1/3 is a WAN interface

Ethernet 1/4 is a LAN interface

We’ve created

ETH1-ZONE for Ethernet 1/1

ETH2-ZONE for Ethernet 1/2

ETH3-ZONE for Ethernet 1/3

ETH4-ZONE for Ethernet 1/4

VP –ZONE for all the tunnels (used for remote connection site with site-1 and site-2)

GP-ZONE used for GLOBAL PROTECT

STATIC ROUTE

We’ve a set of static

LAN to ETH1

LAN to ETH2

LAN to ETH3

LAN to LAN

And VPN route using tunnels

POLICIES

We’ve setted up a bunch of policies

LAN to WAN1 (ISP1) for Tunnel traffic and VPN traffic

LAN to WAN2 (ISP2) for Webmail

LAN to WAN3 (For Web browsing)

We’ve created a PBF for forwading traffic from LAN to Ethernet 1/2 when it is about MAIL/WebMAIL activities

We’ve an application override to force FTP application goes to LAN to LAN (through the MPLS network) due to asymmetric issues



We've a Laptop which is connecte outside the office, and we  setup a connection through the PALO ALTO using GLOBAL PROTECT, the connection is established using ISP1.

The VPN for Global Protect is UP and RUNNING


The issue is the following:

We cannot access to the LAN of the PA-500

We cannot access to Internet using the PA-500

BUT

We can connect to remote-site-1; Remote-2 and last but not the least we can connect to the remote site which located accross the MPLS network.


Does anyone has an idea or some guidance about this issue? Have we missed something? Could it be possible that the configuration is wrong?


FIGURE1.PNG

parmas
L2 Linker

We cannot access to the LAN of the PA-500 .......... from where? Please add more details

We cannot access to Internet using the PA-500............. again, access the Internet?  I guess you mean from the LAN, but using which ISP?


I believe you might be running into some asymmetric routing issue because of the different ISPs that you have configured. I could suggest segregating them by using different virtual routers, but you need to make sure you have the proper routes in place in each of the VRs.


mbeghdadi
L2 Linker

Hi,

Thanks for your feedback, after investigation the issue was related to PFB..It was necessary to write a new rule stating that

trafi from LAN to GP (global protect Zone) should not use PBF...

After the commit, trafic is UP...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!