PA-440 Global Protect VPN - no Internet after connecting, only local resources

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-440 Global Protect VPN - no Internet after connecting, only local resources

L0 Member

I've recently setup Global Protect Gateway/Portal but after connecting do not have access to Internet, only local resources.

A coworker and I have been going through the configuration comparing it to other working PA-220's we have at work but nothing seems to working.

Using Global Protect client 6.0.3

DNS for IP Pool is configured for 9.9.9.9 and 4.2.2.3

Any suggestions?

1 accepted solution

Accepted Solutions

L4 Transporter
Hello @JRECKNAGEL , good afternoon
 
In the Global Protect configuration, are you using Split tunnel? that is, are you only using the tunnel for your local tunnels? If so, for example, if you do not set any DNS, in the configuration (it makes sense since they are using public) of global protect, the client will use the DNS of the network from which it is connecting, that is, the DNS that it gives you the network of the house, cafe, restaurant, office etc etc.
 
Now if you are not using split, that is, you use 0.0.0.0/0, therefore you are forwarding all global protect VPN traffic, through Palo Alto, you must set the corresponding security rule(s) and the "NAT" policy is important. " ( Source Nat ) for the network segment you use for global protect so that it can go out to the Internet through the PA.
 
Now if you are using split for some resources, but you are fixing and setting the DNS, that DNS connection will be made through Palo Alto, then you must apply the security and NAT (Source Nat) policies that allow the network traffic from global protect to the DNS, example towards 9.9.9.9, 8.8.8.8, 1.1.1.1, etc. that is to say, the global protect network must go to resolve those public dns to the internet, then as it will do it through the PA, you must apply the NAT rule ( Source NAT ) for the global protect network with destination to those public DNS IPs and the security policy.
 
Best regards
High Sticker

View solution in original post

2 REPLIES 2

L4 Transporter
Hello @JRECKNAGEL , good afternoon
 
In the Global Protect configuration, are you using Split tunnel? that is, are you only using the tunnel for your local tunnels? If so, for example, if you do not set any DNS, in the configuration (it makes sense since they are using public) of global protect, the client will use the DNS of the network from which it is connecting, that is, the DNS that it gives you the network of the house, cafe, restaurant, office etc etc.
 
Now if you are not using split, that is, you use 0.0.0.0/0, therefore you are forwarding all global protect VPN traffic, through Palo Alto, you must set the corresponding security rule(s) and the "NAT" policy is important. " ( Source Nat ) for the network segment you use for global protect so that it can go out to the Internet through the PA.
 
Now if you are using split for some resources, but you are fixing and setting the DNS, that DNS connection will be made through Palo Alto, then you must apply the security and NAT (Source Nat) policies that allow the network traffic from global protect to the DNS, example towards 9.9.9.9, 8.8.8.8, 1.1.1.1, etc. that is to say, the global protect network must go to resolve those public dns to the internet, then as it will do it through the PA, you must apply the NAT rule ( Source NAT ) for the global protect network with destination to those public DNS IPs and the security policy.
 
Best regards
High Sticker

L0 Member

Thanks a bunch!

Once I added my REMOTE_ACCESS security zone to my NAT rule, Internet worked like a champ!

Thanks again for the proving a quick solution!

  • 1 accepted solution
  • 3355 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!