Redistribute Route to GlobalProtect with BGP

Reply
Highlighted
L2 Linker

Redistribute Route to GlobalProtect with BGP

Background:


We have a 172.20.0.0/16 internal network that is connected to our Amazon AWS VPC. A route is successfully advertized to our AWS peer using BGP and from the local network I can reach our server instances in the VPC. AWS resources are assigned an address in the 172.21.0.0/16 network.

 

After I created a remote-access VPN using Global Protect, I can reach our local network from outside the building. Remote users are assigned an address in the 172.19.0.0/16 network.

 

Problem: 

 

Unable to reach our AWS resources while remotely connected to the local network using Global Protect. 

 

My Thoughts:

 

Believe I need to redistribute a route to the 172.19.0.0/16 network assigned to GlobalProtect clients. I followed the article How to Redistribute GlobalProtect Routes into OSPF. As a result I created a 2nd Redistribution Profile within my virtual router and configured a 2nd BGP Export Rule. 

 

Despite this when I issue > show routing protocols bgp rib-out  only displays the original, single route to my local 172.20.0.0/16 local network.

 

Any thoughts are greatly appreciated!

 

Thank you.

Highlighted
L2 Linker

Additional Info:

 

When I issue the command > show routing fib I expected to see a single entry for GlobalProtect, such as 172.19.0.0/16.

 

Instead I see this: 

2       172.20.0.0/16         0.0.0.0            u      ethernet1/2        1500
63      172.21.0.0/16         169.254.255.XYZ     ug     tunnel.4           1427
50      172.19.0.64/26        172.19.0.64        ug     tunnel.3           1500
49      172.19.0.32/27        172.19.0.32        ug     tunnel.3           1500
48      172.19.0.16/28        172.19.0.16        ug     tunnel.3           1500
46      172.19.0.4/30         172.19.0.4         ug     tunnel.3           1500
45      172.19.0.2/31         172.19.0.2         ug     tunnel.3           1500
47      172.19.0.8/29         172.19.0.8         ug     tunnel.3           1500
51      172.19.0.128/26       172.19.0.128       ug     tunnel.3           1500
52      172.19.0.192/27       172.19.0.192       ug     tunnel.3           1500
53      172.19.0.224/28       172.19.0.224       ug     tunnel.3           1500
54      172.19.0.240/29       172.19.0.240       ug     tunnel.3           1500
55      172.19.0.248/30       172.19.0.248       ug     tunnel.3           1500

Would I need to instead define these networks in my Export and Redistribution Profiles?

 

Follow Up:

 

Why would the router implement these CIDR networks instead of a large 172.19.0.0/16 as I defined in the GUI?

 

Thanks Again!

Highlighted
L5 Sessionator

Do you have proper security policy in place to allow GP user to access AWs resources? Try assiging ip address on tunnel interface give ip address to tunnel interface in the pool that you are assiging to GP client and then try to ping from tunnel interface to the AWS resources. 

 

Try to ping from firewall any interface to any aws resource check if the ping is working or not.

Highlighted
L2 Linker

Hi @pankaku and thank you for the reply. The tunnel interfaces associated with Amazon and the LAN are assigned to the same security profile. I realize this leads to no visibility or control over the traffic and eventually want to assign the AWS tunnel interfaces to a seperate security zone.

 

Per your suggestion I think I understand you and wanted to summarize what you said as I go about trying what you suggested.

 

Try assigning an IP address from the GP address pool to the GP tunnel interface and then try pinging a resource in AWS

Highlighted
L5 Sessionator

yes that's correct. I will let us know if we have reachability from firewall tunnel inteface to aws resources.

Also try to ping from firewall's any other interface to aws resources.

Highlighted
L2 Linker

Thanks for the clarification @pankaku.


@Pankaj.kumar wrote:

yes that's correct. I will let us know if we have reachability from firewall tunnel inteface to aws resources.

Also try to ping from firewall's any other interface to aws resources.



I assigned 172.21.0.99 to the AWS tunnel and tried to ping an AWS resource with no success.

 

However, I can ping an AWS resource from the Palo Alto internal gateway interface 172.20.0.1. 

 

Running a packet capture I can see on the receive side ICMP traffic flowing from 172.19.0.2 to 172.21.ABC.EFG and on the transmit side I see ESP traffic flowing from the PA egress interface (public IP) to the AWS resource.

Highlighted
L2 Linker

Here is some additional info testing the route to my AWS resources.

 



bob@PA-3020> test routing fib-lookup virtual-router default-vr ip 172.21.1.121

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: default-vr
destination: 172.21.1.121
result:
via 169.254.255.89 interface tunnel.4, source 169.254.255.90, metric 65434
--------------------------------------------------------------------------------

bob@PA-3020> show routing route | match tunnel.4
169.254.255.88/30 169.254.255.90 0 A C tunnel.4

 

In the GlobalProtect Gatway --> Agent --> Client Settings I added the following Access routes

172.20.0.0/16

172.21.0.0/16

 

On my connected GlobalProtect VPN client I can confirm the presence of both routes 

       172.19.0.2  255.255.255.255         On-link        172.19.0.2    256
       172.20.0.0      255.255.0.0         On-link        172.19.0.2      1
   172.20.255.255  255.255.255.255         On-link        172.19.0.2    256
       172.21.0.0      255.255.0.0         On-link        172.19.0.2      1
   172.21.255.255  255.255.255.255         On-link        172.19.0.2    256

 

Highlighted
L5 Sessionator

Let me clarify what i understand.

 

You are able to ping from firewall's interface but not from GP tunnel interface.

 

If that is correct then try following doc:

 

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Users-and-Internal-Resources/...

L2 Linker

That's  absolutely right @pankaku. I will take a look at your suggestion.

 

Thank you again.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!