It is indeed really strange. NetConnect installs fine without any errors. But connecting is not working... it seems! The NetConnect clients says it is trying to connect but disconnects because it can't get a local IP address from the client VPN pool. Not true! It does get an IP, you can check it out on the PA under the "More Users Info" from the SSLVPN. All security rules from zone SSLVPN are hit so there is connection. When trying to connect to local resources, it works! But performance is really, I mean REALLY slow. So there is still a lot of work to do. Attached a part of the panlog.txt which is obtained from the TechSupport in the NetConnect client.
... View more
"Basically, if you put in an address of 12.x.x.1/27, for example, on an external interface of the pan, that means that we are going to be listenting for all of the IPs in that range (27 bit mask = 30 addresses). " Ah, that makes more sense. In our current configuration, we use a small handful of that 30 address range to NAT individual websites and domains that we serve to the Internet. Multiple sites under multiple domains. The existing firewall requires each public address to be entered as a secondary on the external interface before you can put it in the NAT table. I'll have to look at your suggestions on the NAT policy in the PA-500. It seems that my preconceptions from previous firewalls are leading me astray when it comes to these new (and *better!*) ways of doing the same things. Thanks for your help!
... View more