Traffic cannot return

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Traffic cannot return

L1 Bithead

Hi Folks I have the next topology. The problem is the return traffic when I connect via GlobalProtect and I get a client IP 10.81.235.x. This IP cannot connect with a web server that is in the LAN, but this LAN is external through a data link routing.

In the other side, owner of web server they don't want to include subnet GP 10.81.235.x in their route tables for propagation due to internal security policies. Currently, communication is succesfull between LAN internal to LAN external, but GP to LAN external (192.168.36.x) is not completing.

In logs we have security rule that show me allow with application incomplete and session end reason Aged out.

Is possible to use a NAT rule to force communication and avoid session loss or PBF with symetric return? What option could you suggest me?


Thanks in advance

1 accepted solution

Accepted Solutions

Hi, it was solved with NAT SOURCE rule. Masking like a Lan subnet. Thks..





View solution in original post


Hi @apazmino,

Probably stupid question, but can you clarify for me what do you mean by "LAN is external through a data link routing"?

It is hard to understand your topology with provided information, without any diagram, at least for me.


From what I understand your problem definately sounds like the destionation doesn't know how to route back the traffic, which could be solved with NAT. It is very hard to imagine how PBF could help in this situation so go for the NAT and agree with the remote site on prefix that can be used for translating your GP IP pool.

topology return.png



HI Astardzhiev, thanks for your response. When I refer to external lan, I tried to explain with this topology, lan external come to be one external subnet that does not belong to my side, otherwise, lan external is other subnet connected via data link but is within LAN_zone. 

Then, to clarify I attach diagram, the question is: In the return from subnet 192.168.36.x could I use Source or destination NAT?.. According to your suggestion is not possible with PBF.


thanks so much

Hi, it was solved with NAT SOURCE rule. Masking like a Lan subnet. Thks..





Hi @apazmino ,

Glad you solved your problem. Add some clarification:

- You have to use source NAT, because you need to change the source address for which the server will try to send reply back.

- The purpose of PBF is if you want to route given traffic, based on some kind of policy - for example any traffic from given source network. But PBF cannot help you if destination network doesn't have route back or don't want to install proper routing for your source network.

  • 1 accepted solution
  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!