09-23-2013 04:03 AM
Hi!
Basic info:
PA-500 (software version 5.0.7)
Main location network: 10.10.1.0/24
Branch location network: 192.168.1.0/24
GlobalProtect client IP pool: 10.10.3.10 - 10.10.3.254
We have main location network and branch location network connected thru IPSec VPN. Our PA-500 is located on main location and handles GlobalProtect clients connections. When we connect thru GlobalProtect client, we are able to access only main location network, but cannot access branch network. How to configure that? By adding another proxy ID to IPSec tunnel? (local: 10.10.3.0/24, remote: 192.168.1.0/24 in main location and vice versa on branch location)
Thanks!
09-23-2013 09:39 AM
Hello kpv,
So I understand from your description that only the Branch location network is inaccessible by the GP users.
Do you have,
1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)
2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.
3. Return route/access from branch network to the GP subnet on the Peer side.
Thanks,
Aditi
09-23-2013 04:08 AM
What did you configure for access route ? (Global Protect configuration)
09-23-2013 04:25 AM
Access route:
10.10.1.0/24
192.168.1.0/24
And i forgot to tell before: I don't know what appliance is at the other end of tunnel (main - branch). Someone else will configure that one.
09-23-2013 05:03 AM
Do you have set route on Branch location to Main location as well?
Know as back route.
09-23-2013 05:17 AM
Can't tell, have no access to appliance. But VPN works fine: main - brunch.
09-23-2013 05:37 AM
VPN can works as is independent on route.
Steps:
create VPN
set route
set security rules
09-23-2013 06:19 AM
Then you just need a source NAT rule.
(if you have security rule)
Write a NAT rule for source address 10.10.3.10 - 10.10.3.254 and also select zone, destination zone as branch and source NAT dynamic ip port / interface select Main Location interface.
Then you should access to branch without problem.
09-23-2013 06:50 AM
Thanks for now. I will look into security and will be back.
09-23-2013 09:39 AM
Hello kpv,
So I understand from your description that only the Branch location network is inaccessible by the GP users.
Do you have,
1. Proxy Id for the GP subnet and remote subnet (if doing a policy based ipsec vpn)
2. Security policy from GP-tunnel zone to the Ipsec-tunnel zone on the PA500.
3. Return route/access from branch network to the GP subnet on the Peer side.
Thanks,
Aditi
09-23-2013 02:21 PM
Was just having the same problem. Turned out to be a return route as apasupulati suggested in item #3 of his post. Similar setup here in this post: Client VPN traffic and routing over IPsec Tunnel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
