[THIN] Re: CAG SSL VPN
- From: "Steve Greenberg" <steveg@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 30 Apr 2008 12:14:20 -0700
Do you mean how would external SSL VPN users get a response from the CAG? If
that is the question I think the CAG already knows/assumes that those
sessions are on the external interface and will be able to communicate with
them by default. Do you have a test system you can try it on?
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85266
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Chad Schneider (IT)
Sent: Wednesday, April 30, 2008 11:26 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CAG SSL VPN
I don't think that would work. Int0 is pointing external, Int1 is internal.
If I cahnge the CAG default gateway to the INT1, how would external people
connecting know where to go, without the external default gateway.
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
>>> On 4/30/2008 at 11:57 AM, <steveg@xxxxxxxxxxxxxx> wrote:
That's why I was asking about the default gateway of the CAG, wouldn't it
need to be pointing toward the internal gateway to do what you want?
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85266
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Chad Schneider (IT)
Sent: Tuesday, April 29, 2008 7:04 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CAG SSL VPN
internet-----PaloAltoNetwork(Firewall)------CAG(External)(206.x.x.x)-------C
AG(Internal)(10.x.x.x)
User connects, get a 10.x.x.x address. Requests for external web pages,
for some reason, are attempting to go back out the CAG(External) to the
PaloAlto(Firewall).
I would think that all web traffic to the internet, once connected,
would be routed via the CAG(Internal) to the internal network, then go
back out via the PaloAltoNetwork(Firewall).
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
>>> Marc-André Lapierre <malapierre@xxxxxxxxxxx> 04/29/08 8:36 PM >>>
Send us a diagram of the network, it would help us a lot!
De : thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] De la
part de Chad Schneider (IT)
Envoyé : 29 avril 2008 14:09
À : thin@xxxxxxxxxxxxx
Objet : [THIN] Re: CAG SSL VPN
Default Gateway of the appliance is external. We specifiy internal
default gateway with internal IP Pools.
Split tunneling is not enabled. Split DNS is not enabled.
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
>>> On 4/29/2008 at 11:43 AM, <steveg@xxxxxxxxxxxxxx> wrote:
Did you set the default gateway of the CAG to be the LAN connection or
the outside connection of the CAG? Also, how is Split Tunnelling and
Split DNS set?
Steve Greenberg
[cid:image001.png@01C8AA41.1FBF5C50]Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85266
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Chad Schneider (IT)
Sent: Tuesday, April 29, 2008 5:59 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] CAG SSL VPN
Our internet team, put in a new firewall. Since this happened, making
an SSL VPN connection to us via the CAG, we can no longer get to
websites outside of Thedacare. Unable to even ping. Internet team
states firewall is configured the same as old one (not possible, as that
one worked). They state that users get through the firewall, to the
CAG, and get the internal IP, as designed. The problem is that requests
for external websites then go back ou through the CAG external
interface, back to the firewall. I am not sure this is right. I
thought that once they got an internal IP, all traffic would be
internal, and internet traffic would be routed through the internal
interface, then back out through the firewall.
Thoughts?
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
