- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-28-2016 05:28 PM - edited 06-28-2016 05:29 PM
Background:
We have a 172.20.0.0/16 internal network that is connected to our Amazon AWS VPC. A route is successfully advertized to our AWS peer using BGP and from the local network I can reach our server instances in the VPC. AWS resources are assigned an address in the 172.21.0.0/16 network.
After I created a remote-access VPN using Global Protect, I can reach our local network from outside the building. Remote users are assigned an address in the 172.19.0.0/16 network.
Problem:
Unable to reach our AWS resources while remotely connected to the local network using Global Protect.
My Thoughts:
Believe I need to redistribute a route to the 172.19.0.0/16 network assigned to GlobalProtect clients. I followed the article How to Redistribute GlobalProtect Routes into OSPF. As a result I created a 2nd Redistribution Profile within my virtual router and configured a 2nd BGP Export Rule.
Despite this when I issue > show routing protocols bgp rib-out only displays the original, single route to my local 172.20.0.0/16 local network.
Any thoughts are greatly appreciated!
Thank you.
06-28-2016 05:33 PM - edited 06-28-2016 05:34 PM
Additional Info:
When I issue the command > show routing fib I expected to see a single entry for GlobalProtect, such as 172.19.0.0/16.
Instead I see this:
2 172.20.0.0/16 0.0.0.0 u ethernet1/2 1500 63 172.21.0.0/16 169.254.255.XYZ ug tunnel.4 1427 50 172.19.0.64/26 172.19.0.64 ug tunnel.3 1500 49 172.19.0.32/27 172.19.0.32 ug tunnel.3 1500 48 172.19.0.16/28 172.19.0.16 ug tunnel.3 1500 46 172.19.0.4/30 172.19.0.4 ug tunnel.3 1500 45 172.19.0.2/31 172.19.0.2 ug tunnel.3 1500 47 172.19.0.8/29 172.19.0.8 ug tunnel.3 1500 51 172.19.0.128/26 172.19.0.128 ug tunnel.3 1500 52 172.19.0.192/27 172.19.0.192 ug tunnel.3 1500 53 172.19.0.224/28 172.19.0.224 ug tunnel.3 1500 54 172.19.0.240/29 172.19.0.240 ug tunnel.3 1500 55 172.19.0.248/30 172.19.0.248 ug tunnel.3 1500
Would I need to instead define these networks in my Export and Redistribution Profiles?
Follow Up:
Why would the router implement these CIDR networks instead of a large 172.19.0.0/16 as I defined in the GUI?
Thanks Again!
06-28-2016 05:51 PM
Do you have proper security policy in place to allow GP user to access AWs resources? Try assiging ip address on tunnel interface give ip address to tunnel interface in the pool that you are assiging to GP client and then try to ping from tunnel interface to the AWS resources.
Try to ping from firewall any interface to any aws resource check if the ping is working or not.
06-28-2016 06:14 PM
Hi @pankaku and thank you for the reply. The tunnel interfaces associated with Amazon and the LAN are assigned to the same security profile. I realize this leads to no visibility or control over the traffic and eventually want to assign the AWS tunnel interfaces to a seperate security zone.
Per your suggestion I think I understand you and wanted to summarize what you said as I go about trying what you suggested.
Try assigning an IP address from the GP address pool to the GP tunnel interface and then try pinging a resource in AWS
06-28-2016 06:19 PM
yes that's correct. I will let us know if we have reachability from firewall tunnel inteface to aws resources.
Also try to ping from firewall's any other interface to aws resources.
06-28-2016 06:27 PM - edited 06-28-2016 06:57 PM
Thanks for the clarification @pankaku.
@Pankaj.kumar wrote:yes that's correct. I will let us know if we have reachability from firewall tunnel inteface to aws resources.
Also try to ping from firewall's any other interface to aws resources.
I assigned 172.21.0.99 to the AWS tunnel and tried to ping an AWS resource with no success.
However, I can ping an AWS resource from the Palo Alto internal gateway interface 172.20.0.1.
Running a packet capture I can see on the receive side ICMP traffic flowing from 172.19.0.2 to 172.21.ABC.EFG and on the transmit side I see ESP traffic flowing from the PA egress interface (public IP) to the AWS resource.
06-28-2016 06:43 PM - edited 06-28-2016 07:20 PM
Here is some additional info testing the route to my AWS resources.
bob@PA-3020> test routing fib-lookup virtual-router default-vr ip 172.21.1.121
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: default-vr
destination: 172.21.1.121
result:
via 169.254.255.89 interface tunnel.4, source 169.254.255.90, metric 65434
--------------------------------------------------------------------------------
bob@PA-3020> show routing route | match tunnel.4
169.254.255.88/30 169.254.255.90 0 A C tunnel.4
In the GlobalProtect Gatway --> Agent --> Client Settings I added the following Access routes
172.20.0.0/16
172.21.0.0/16
On my connected GlobalProtect VPN client I can confirm the presence of both routes
172.19.0.2 255.255.255.255 On-link 172.19.0.2 256 172.20.0.0 255.255.0.0 On-link 172.19.0.2 1 172.20.255.255 255.255.255.255 On-link 172.19.0.2 256 172.21.0.0 255.255.0.0 On-link 172.19.0.2 1 172.21.255.255 255.255.255.255 On-link 172.19.0.2 256
06-29-2016 08:54 AM
Let me clarify what i understand.
You are able to ping from firewall's interface but not from GP tunnel interface.
If that is correct then try following doc:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!