SSL VPN users unable to access the internet though Palo

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL VPN users unable to access the internet though Palo

L0 Member

Hi

     I have setup SSL VPN and its been in use for a few weeks without any issue with the exception of one minor annoyance.

I have been unable to get the SSL VPN users to be able to see the internet when connected.

1) The access route is set to 0.0.0.0/0 to force all traffic back though the Palo Alto.

          I don’t want users getting internet direct when they are VPN'ed in but force them to be filtered just like when they are in the office.

2) If I use a laptop with Firefox on and point it to a temporary internal proxy on port 8080 i can get back out again to the internet.

3) The VPN users get an IP address in a range outside the normal local LAN range.

4) There is a router which is the default gateway points all traffic not destined for one of our other networks though the Palo alto.

I think this issue is that the VPN traffic is exiting the Palo on the same interface that it has to come back on to get out of the internet and there is nothing to point it back were all other traffic is being forwarded to the Palo Alto by the gateway. Therefore I think I need some sort of rule on the Palo that internally forwards VPN traffic not destined for one of internal networks back out of the WAN port????

Ethernet 1/1 (WAN) (DefaultVR) (L3-untrust) 194.123.123.18/28

Ethernet 1/2 (LAN) (DefaultVR) (L3-untrust) 10.1.1.20/8

Management 10.1.1.23

----

SSL-VPN range 10.3.1.0/24

SSL Gateway (eth1/1) 194.123.123.18/28

----

Tunnel (DefaultVR) L3-Trust (no IP)

----

DefaultVR Static routes.

default 0.0.0.0/0                     ip         194.123.123.17           none    none              

Site2    10.2.0.0/16                 ip         10.1.1.11                     none    none              

Site3    10.5.0.0/16                 ip         10.1.1.11                     none    none   

---

Border Router (for Site to site links) 10.1.1.11

     Forwards all traffic for other networks e.g. 10.2.0.0/16 over site to site link

     Forwards everything else to Palo > 10.1.1.20

1 REPLY 1

L4 Transporter

Problems like this usually fall into one of two catagories.

1) The range allocated for SSL VPN users is not getting the proper NAT applied when the traffic goes out to  the internet

2) There is another router involved in the path and that router is not aware of the SSL VPN subnet or is directing the traffic to the incorrect next hop.

If neither of these is the case you should open a case with support.

Steve Krall

  • 3128 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!