[THIN] Re: CAG SSL VPN

  • From: "Chad Schneider (IT)" <Chad.M.Schneider@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 29 Apr 2008 21:04:14 -0500

internet-----PaloAltoNetwork(Firewall)------CAG(External)(206.x.x.x)-------CAG(Internal)(10.x.x.x)

User connects, get a 10.x.x.x address.  Requests for external web pages,
for some reason, are attempting to go back out the CAG(External) to the
PaloAlto(Firewall).  

I would think that all web traffic to the internet, once connected,
would be routed via the CAG(Internal) to the internal network, then go
back out via the PaloAltoNetwork(Firewall).

Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
>>> Marc-André Lapierre <malapierre@xxxxxxxxxxx> 04/29/08 8:36 PM >>>
Send us a diagram of the network, it would help us a lot!

De : thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] De la
part de Chad Schneider (IT)
Envoyé : 29 avril 2008 14:09
À : thin@xxxxxxxxxxxxx
Objet : [THIN] Re: CAG SSL VPN

Default Gateway of the appliance is external.  We specifiy internal
default gateway with internal IP Pools.

Split tunneling is not enabled.  Split DNS is not enabled.

Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615

>>> On 4/29/2008 at 11:43 AM, <steveg@xxxxxxxxxxxxxx> wrote:
Did you set the default gateway of the CAG to be the LAN connection or
the outside connection of the CAG? Also, how is Split Tunnelling and
Split DNS set?




Steve Greenberg

[cid:image001.png@01C8AA41.1FBF5C50]Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85266

(602) 432-8649

www.thinclient.net
steveg@xxxxxxxxxxxxxx

________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Chad Schneider (IT)
Sent: Tuesday, April 29, 2008 5:59 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] CAG SSL VPN

Our internet team, put in a new firewall.  Since this happened, making
an SSL VPN connection to us via the CAG, we can no longer get to
websites outside of Thedacare.  Unable to even ping.  Internet team
states firewall is configured the same as old one (not possible, as that
one worked).  They state that users get through the firewall, to the
CAG, and get the internal IP, as designed.  The problem is that requests
for external websites then go back ou through the CAG external
interface, back to the firewall.  I am not sure this is right.  I
thought that once they got an internal IP, all traffic would be
internal, and internet traffic would be routed through the internal
interface, then back out through the firewall.

Thoughts?


Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************

Other related posts: