- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-30-2011 05:27 AM
Hi
Have a PA 500 set up for split tunnelling - so clients access internet locally and all other traffic is passed over VPN tunnel to our office
I have DHCP set up on PA box so clients get primary DNS server (local ISP one) and secondary DNS (office one)
I have set up a rule from trust to untrust to allow application DNS and service DNS however i am getting errors saying failed to resolve domain name
so I SSH to the box and cannot ping host www.yahoo.com nor can i ping host yahoo.com by IP
any ideas please?
thanks
Sue
08-30-2011 06:11 AM
Hi
I am seeing traffic denied from untrust to untrust per my last global deny rule application not applicable
dosent seem to be any other deny
thanks
Sue
08-30-2011 06:34 AM
Hi Sue,
Try to do this:
1. go to whatismyipaddress.com/ to check the public IP you are using before you connect to the SSLVPN.
2. start the vpn connection, check if there is any deny traffic from your public ip address
3. most likely you will see there is traffic from your public IP address from untrust to untrust running on port 443 being denied. for that case you should add the SSL as the app and app. default as the port no.
4. remember to add the NAT policy for your client.
08-30-2011 06:44 AM
thanks for your reply....but the traffic over the VPN tunnel into the companys network is working ok
the issue is just with internet access and DNS it seems...
Sue
08-30-2011 07:34 AM
Hi Sue,
so would you run ipconfig to see if the DNS setting is well populated? Also check if the "route print" output to see if the routing to SSLVPN gateway just cover the corporate network subnet, and run a traceroute to see check which is the next hop for traffic to yahoo.com.
08-31-2011 12:57 AM
just to let you know this is resolved
the issue was that the default route was set to go via an interface rather than IP address - once i changed it to IP, all web browsing and DNS worked fine
just for info
thanks for replies
Sue
08-31-2011 08:49 AM
Hi Sue,
Good to know that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!