topic Re: Get a defined target IP Adress and Subnet via GlobalProtect (PA-460) in GlobalProtect Discussions

Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

SaArlt — Tue, 12 Mar 2024 16:34:07 GMT

I have a target system that I need to access via WebUI. The system is reachable via its IP address 192.168.255.129 with a /24 (255.255.255.0) subnet. Furthermore the system expects a client IP address of 192.168.255.130, any other IP address will be rejected. The target system is a "proprietary blackbox", which means these settings cannot be changed.

Any locally connected client can reach the target system via the above mentioned IP settings.

My objective is to reach this system now via a GlobalProtect VPN connection, so I set the DHCP IP pool of the gateway configuration to the target systems network (192.168.255.0/24) .

I wasn't able reach the target system, yet.

I'm facing different issues, here:

I set the IP pool to 192.168.255.0/24 for the needed 255.255.255.0 subnet mask. However, if I look into the network settings, I have a subnet of 255.255.255.255 configured for the virtual adapter. Shouldn't this be the expected 255.255.255.0 subnet?

How can I force my client to use the 192.168.255.130 address? I couldn't come up with an idea, yet. If I set the DHCP range to 192.168.255.130-192.168.255.131 for instance as I need the /24 subnet which is not possible to configure when defining a range like this.

Thanks a lot in advance for your help

Re: Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

kiwi — Wed, 13 Mar 2024 11:24:00 GMT

Hi @SaArlt ,

With the option "Retrieve Framed-IP-Address attribute from authentication server" you can assign a fixed IP address to GP users with AD (LDAP) Authentication.

Check if the following article can help you:

How to Assign a Fixed IP address to GlobalProtect Users with Active Directory (LDAP) Authentication using the Framed-IP-Address attribute.

Hope this helps,

Kim.

Re: Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

SaArlt — Thu, 14 Mar 2024 15:38:37 GMT

Hi @kiwi ,

thanks a lot for your answer. I'm not using an AD but local users I configured in the local user database in this setup, so I'm afraid that "Retrieve Framed-IP-Address attribute from authentication server" might not help fixing my issue.

Meanwhile I found this method to be able to receive a static IP address with my client pc which seems to work:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIMCA0

My ethernet configuration still shows me I have a subnet mask of 255.255.255.255 configured and I still cannot reach the target machine. From my understanding a matching subnet mask of both communicating machines is obligatory so they're able to find themselves via ARP broadcasting.

So how's it possible to configure a matching subnet mask of 255.255.255.0?

Thanks a lot.

Best,

Sascha

Re: Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

SaArlt — Mon, 18 Mar 2024 09:19:43 GMT

Any ideas here?

Any help would be highly appreciated.

Thanks a lot.

Kind Regards,

Sascha

Re: Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

reaper — Mon, 18 Mar 2024 14:07:26 GMT

this is a remote user VPN connection, you will not get a /24 subnetmask as you're behind a VPN tunnel and this is your local IP (assigning a /24 would make that a locally connected network)

Furthermore you shouldn't share the same subnet on a physical interface and the GP pool as that will inevitably introduce routing issues (these are 2 different 'networks')

that said, if the proprietary blackbox needs to be reached from a system in it's own subnet, I propose you set up NAT that masks GP users behind the dataplane interface IP of the interface connecting to the black box

e.g

GP IP pool 10.0.0.0/24

dataplane interface 192.168.255.130/24

NAT rule from 10.0.0.0/24 to 192.168.255.129 source NAT 192.168.255.130

that should fiox your issue