We have configured One VR-1 only
Ethernet 1/1 is a WAN interface
Ethernet 1/2 is a WAN interface
Ethernet 1/3 is a WAN interface
Ethernet 1/4 is a LAN interface
ETH1-ZONE for Ethernet 1/1
ETH2-ZONE for Ethernet 1/2
ETH3-ZONE for Ethernet 1/3
ETH4-ZONE for Ethernet 1/4
VP –ZONE for all the tunnels (used for remote connection site with site-1 and site-2)
GP-ZONE used for GLOBAL PROTECT
We’ve a set of static
LAN to ETH1
LAN to ETH2
LAN to ETH3
LAN to LAN
And VPN route using tunnels
We’ve setted up a bunch of policies
LAN to WAN1 (ISP1) for Tunnel traffic and VPN traffic
LAN to WAN2 (ISP2) for Webmail
LAN to WAN3 (For Web browsing)
We’ve created a PBF for forwading traffic from LAN to Ethernet 1/2 when it is about MAIL/WebMAIL activities
We’ve an application override to force FTP application goes to LAN to LAN (through the MPLS network) due to asymmetric issues
We've a Laptop which is connecte outside the office, and we setup a connection through the PALO ALTO using GLOBAL PROTECT, the connection is established using ISP1.
The VPN for Global Protect is UP and RUNNING
The issue is the following:
We cannot access to the LAN of the PA-500
We cannot access to Internet using the PA-500
We can connect to remote-site-1; Remote-2 and last but not the least we can connect to the remote site which located accross the MPLS network.
Does anyone has an idea or some guidance about this issue? Have we missed something? Could it be possible that the configuration is wrong?
We cannot access to the LAN of the PA-500 .......... from where? Please add more details
We cannot access to Internet using the PA-500............. again, access the Internet? I guess you mean from the LAN, but using which ISP?
I believe you might be running into some asymmetric routing issue because of the different ISPs that you have configured. I could suggest segregating them by using different virtual routers, but you need to make sure you have the proper routes in place in each of the VRs.
Thanks for your feedback, after investigation the issue was related to PFB..It was necessary to write a new rule stating that
trafi from LAN to GP (global protect Zone) should not use PBF...
After the commit, trafic is UP...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!