VPN Client, Can't connect to internal zone?

Reply
Highlighted
L2 Linker

VPN Client, Can't connect to internal zone?

Hi, Good day!

 

I would like to ask what would be the problem,

 

From outside user accessing via ssl vpn (VPN ZONE) below details are working.

1. It can connect / has the ip pool assigned

2. It can reach the internet using the assigned pool.

 

Problem is from VPN Zone user can't reach the internal zone even though we already created a policy from vpnzone -> Internal (vise versa). When we trace last hop stop is on ip address of the vpn interface.

 

We also tried adding static route exit interface tunnel. but still doesn't work. Also based on logs there's a byte sent (from uservpn) but no bytes received (reply from the internal server)

 

But when creating a nat policy from vpn zone -> internal it works.

But this doesn't scale well since it will be translated in one ip only.

 

What is missing on this setup?

thank you

Tags (1)
Highlighted
L7 Applicator

Re: VPN Client, Can't connect to internal zone?

Kind of hard to follow the question with a quick glance, but I would attempt to look for the following. 

1) What does your Access Route look like in your GP Client Configuration. Are you routing 0.0.0.0/0 or do you have a split tunnel setup.

2) Do you actually have a security rule that allows the traffic to/from GP zone to/from internal network that is being hit

3) If you are not hitting the right security policies look in the log and see if you can even see the traffic. If you can't see the traffic then you have an Access Route config issue, if you can see the traffic in the log and it isn't hitting the rule that you expect then you are likely just configuring your security policy wrong or it doesn't 'make it down' to the rule that you want it to.  

Highlighted
L2 Linker

Re: VPN Client, Can't connect to internal zone?

Hi,

 

Diagram:

VPN ZONE ----(tunel Interface)->(FW)<-----(L3)----- Internal Zone

 

1. 1.1.1.X (VPN Pool segment) 255.255.255.0 > tunnel interface

    2.2.2.X (Internal segment) 255.255.255.0 > tunnel interface

 

2.  Yes, there's a policy already and it's hitting the policy. the problem is when pinging from VPN Pool to Internal, Bytes sent increaase but Bytes out always 0 which theres no reply from the server or server can't reach the vpn client ip.

 

Thanks

 

Highlighted
L6 Presenter

Re: VPN Client, Can't connect to internal zone?

Hi,

 

So when you NATing the VPN Zone > Internal Zone things are working fine? Try to do a ping or traceroute from the Internal > VPN Zone. See the traffic flow, check your routing.

L4 Transporter

Re: VPN Client, Can't connect to internal zone?

You should do a packet capture on the server to see if it actually receives the packets and if anything is sent back. After that, do a packet capture on the firewall to see if it's receiving the response and if it's dropping it.

 

Benjamin

Highlighted
L7 Applicator

Re: VPN Client, Can't connect to internal zone?

I'm just harboring a guess here but that would seem to indicate that your return path either isn't allowed or the route back is misconfigured. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!