VPN Client issue, Can't reach internal network?

VPN
1

Hi,

Good day!

I would like to ask what would be the problem,

From outside user accessing via ssl vpn (VPN ZONE) below details are working.

  1. It can connect / has the ip pool assigned
  2. It can reach the internet using the assigned pool.

Problem is from VPN Zone user can’t reach the internal zone
even though we already created a policy from vpnzone → Internal (vise versa).

When we trace last hop stop is on ip address of the vpn interface.

We also tried adding static route exit interface tunnel. but still doesn’t work.

Also based on logs there’s a byte sent (from uservpn) but no bytes received (reply from the internal server)

But when creating a nat policy from vpn zone → internal it works. But this doesn’t scale well since it will be translated in one ip only.

What is missing on this setup?

thank you

2

Do your internal zone systems have a route for the GP IP pool? If they don’t, you’ll either need to add one or use source NAT for your traffic going to the internal zone.

You can set up a filter for a test client in the Monitor > Packet Capture filter, then go to CLI when that user tries to go to the internal zone resource and check the counters:

show counter global filter delta yes packet filter yes

Run that command a few times, you should be able to see if any drops are happening on the firewall. My gut feeling says routing though, especially since it works if you do NAT.

3

I had a similar issue, and needed to add a static route on our core for the GP pool, and things started working.

4

Sounds to me like you have some kind of subnet overlap. On your core (or whatever you have downstream from your Palo) check out the routing table. Do you have a route that is summarized and maybe overlaps with your VPN subnet?

5

Hi,

Diagram:
VPN ZONE ----(tunel Interface)->(FW)<-----(L3)----- Internal Zone

  1. 1.1.1.X (VPN Pool segment) 255.255.255.0 > tunnel interface
    2.2.2.X (Internal segment) 255.255.255.0 > tunnel interface

Noted on your comment. will check later and give you update. will check also downstream. Thank you

6

Noted on this. But we created the sub interfaces on PA firewall. Since already in RT as directly connected.