07-16-2010 05:42 AM
Hi All,
I have been strugeling to get set up the SSL VPN on v3.1.3
I have managed to get the page to login appear
I have managed to be able to login
I have been able to dowload and get the client connect
but for some odd reason it will not communicate to the network !!! :smileyconfused:
I have followed the article on the VPN connection on this site, I have also check the logs with a deny rule at the end of my policy to see if there is anything being denied which does not hit a rule and added in a rule accordingly to what I have seen from the logs but still nothing.
Would someone be able (who has got this running) to post a quick pictorial and sugestions.
Many Thanks
Marc
07-16-2010 08:18 AM
Hello Marct,
if you are already able to get the client to connect and get an ip then the issue probably has to do with policy or routing.
Can you verify the following:
make sure that the zone that the tunnel interface for the ssl vpn has policies/rules allowing the traffic to other desired zones
make sure that the ssl vpn tunnel interface is attached to a virtual router (this virtual router should also have interfaces facing the other subnets that you want the ssl vpn users to be able to connect to)
make sure that the ip range or the subnet that you have assigned to the sslvpn users is not the same as any of the other subnets in your network
thanks,
Stephen Whyte
07-19-2010 02:55 AM
Hi Stephen,
I got the similar problem on configuring SSL VPN in PA. Actually, my network is:
Eth1/5 l3-untrust 10.0.0.0/8 network
Eth1/6 l3-trust 192.168.4.0/24 network
Tunnel l3-trust
Those three interfaces are under the same virtual router with below routing:
default-route 0.0.0.0/0 int eth1/5 next_hop 10.1.1.254
tunnel traffic to corp 172.16.1.0/24 int tunnel
172.16.4.0/24 is a SSL VPN portal client IP pool
Anything I missed? Thanks!
Johnny
07-19-2010 01:52 PM
If you have already verified all of my previous suggestion, then you may want to start looking into other factors like the following:
make sure that the device you are trying to reach does not have a firewall that is on or limiting connections to it
make sure that the device you are trying to reach is routing back to the pan device when trying to get back to ssl vpn users.....in other words when your device tries to reach this network (172.16.1.0/24), it should routed back to pan device.
thanks,
Stephen
07-20-2010 01:44 AM
Did you mean the device I want to reach have to add a routing table for SSLVPN pool (172.16.1.0/24) via 192.168.4.51? The source of the packet will use 172.16.1.x info?
BTW, I tested before but it seems cannot be done. I already added the routing table 172.16.1.0 to the device I want to go which is 192.168.4.61.
thanks,
Johnny
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
