This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA500 split tunnelling DNS question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA500 split tunnelling DNS question

sue_town
Not applicable

‎08-30-2011 05:27 AM

Hi

Have a PA 500 set up for split tunnelling - so clients access internet locally and all other traffic is passed over VPN tunnel to our office

I have DHCP set up on PA box so clients get primary DNS server (local ISP one) and secondary DNS (office one)

I have set up a rule from trust to untrust to allow application DNS and service DNS however i am getting errors saying failed to resolve domain name

so I SSH to the box and cannot ping host www.yahoo.com nor can i ping host yahoo.com by IP

any ideas please?

thanks

Sue

0 Likes Likes
7 REPLIES 7

jleung
L4 Transporter

‎08-30-2011 06:02 AM

Hi,

if you cannot ping yahoo.com by IP as well, it is unlikely to be a DNS problem. Would you check the traffic log to see if any traffic has been denied?

0 Likes Likes

sue_town
Not applicable
In response to jleung

‎08-30-2011 06:11 AM

Hi

I am seeing traffic denied from untrust to untrust per my last global deny rule application not applicable

dosent seem to be any other deny

thanks

Sue

0 Likes Likes

jleung
L4 Transporter
In response to sue_town

‎08-30-2011 06:34 AM

Hi Sue,

Try to do this:

1. go to whatismyipaddress.com/ to check the public IP you are using before you connect to the SSLVPN.

2. start the vpn connection, check if there is any deny traffic from your public ip address

3. most likely you will see there is traffic from your public IP address from untrust to untrust running on port 443 being denied. for that case you should add the SSL as the app and app. default as the port no.

4. remember to add the NAT policy for your client.

0 Likes Likes

sue_town
Not applicable
In response to jleung

‎08-30-2011 06:44 AM

thanks for your reply....but the traffic over the VPN tunnel into the companys network is working ok

the issue is just with internet access and DNS it seems...

Sue

0 Likes Likes

jleung
L4 Transporter
In response to jleung

‎08-30-2011 07:34 AM

Hi Sue,

so would you run ipconfig to see if the DNS setting is well populated? Also check if the "route print" output to see if the routing to SSLVPN gateway just cover the corporate network subnet, and run a traceroute to see check which is the next hop for traffic to yahoo.com.

0 Likes Likes

sue_town
Not applicable
In response to jleung

‎08-31-2011 12:57 AM

just to let you know this is resolved

the issue was that the default route was set to go via an interface rather than IP address - once i changed it to IP, all web browsing and DNS worked fine

just for info

thanks for replies

Sue

0 Likes Likes

jleung
L4 Transporter
In response to sue_town

‎08-31-2011 08:49 AM

Hi Sue,

Good to know that Smiley Happy

0 Likes Likes
  • 3064 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks