Hi,
I have a Azure Palo Alto VM setup with GlobalProtect access.
I can successfully connect via GlobalProtect and connect to all resources on sites connected via IPSec Tunnels. However, I am not able to access anything on the local segment in Azure.
Can someone please provide some thoughts as to why this could be?
Thanks!
Thanks for the reply. I updated the drawing with some more detail.
I do have a Route Table poiting traffic to the Inside interface of the Firewall. My servers can get out the Internet and I can connect to all resources attached to the IPSec Tunnels to and from my servers from behind my Azure Palo. The only issue is when I connect via GlobalProtect, I am unable to reach my servers on my 10.3.1.0/24 subnet. I even matched my GlobalProtect Pool to 10.3.1.0/24 with the same result.
I appreciate any feedback.
Thanks!
Here are my static routes on the PA. I don't have a next hop to point my return traffic to other than the INSIDE interface on the PA. Any chance that plays a role in the issue?
I should have been clearer. Typically, on-prem there is a next-hop Layer 3 device where I would send traffic to for my inside network from the PA when I have more than 1 Network (VLAN). Since I only have the Virtual PA and the Azure defined networks, I was trying to figure out how I could accomplish this. I ended up creating a 3rd Interface on the PA with the new subnet, put all the relevant routing on the PA and Azure in place and it is all working now. I suspect you were correct. Having my GlobalProtect pool the same as my Inside LAN was probably causing routing issues.
Is there perhaps another way I could have resolved this?
Thanks for the help!
