cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
174
Views
2
Helpful
3
Replies

PaloAlto Global Protect Internal Routing

aBITtooTALL68
Level 1
Level 1

Hello,

I have been implementing our PaloAlto's GlboalProtect VPN and we have been having trouble accessing internal resources after setting security policies. I had an amateur question that I would appreciate any input on. 

When setting up the agent connection a unique IP address is created and assigned within the firewall to the GP client. The client has set policies that allow traffic into the intrazone from the outside interface on the firewall. Do I still need to build a vlan interface for this unique IP within my 9200 core and assign it to the trunk ports? I am not sure how the traffic is able to traverse our network to our internal servers without the internal network knowing about the unique ip range which is currently solely existent in the firewall.

1 Accepted Solution

Accepted Solutions

@aBITtooTALL68 

 Usually the firewall perform NAT translation and have route towards the internal network.

 It is not a good Idea to have the client VPN on the same segment as the internal network.

View solution in original post

3 Replies 3

@aBITtooTALL68 

 Usually the firewall perform NAT translation and have route towards the internal network.

 It is not a good Idea to have the client VPN on the same segment as the internal network.

Thank you for your reply, I really appreciate it.

This absolutely makes sense. To reiterate in my own words, the firewall NAT translation policy will translate the source address to something the network is familiar with rather than allowing the traffic directly which is a huge security risk. 

Review Cisco Networking for a $25 gift card