topic Re: Enabling S2S VPN based tools accessible on Global Protect VPN in GlobalProtect Discussions

Enabling S2S VPN based tools accessible on Global Protect VPN

PA_User10 — Fri, 16 May 2025 16:34:00 GMT

Hello Team,

We want to use the same subnet used in the office(on which S2S VPN is configured) to be configured for Global Protect VPN so that users will be able to access the S2S VPN tools.

For ex:- Office subnet- 172.21.0.0/16

S2S VPN Subnet- 172.21.10.0/24

Global Protect VPN-172.21.10.100-172.21.10.200

Kindly suggest regarding the possibilities.

Re: Enabling S2S VPN based tools accessible on Global Protect VPN

JayGolf — Wed, 21 May 2025 00:16:30 GMT

Hi @PA_User10 ,

I would recommend to use non-overlapping IP pools for your S2S,GlobalProtect client pool, and office. If you need to stay within the 172.21.0.0/16 range, you can break up the /16 as follows:

Office Subnet: 172.16.0.0/23

GlobalProtect client pool: 172.16.10.0/24

S2S Subnet: 172.16.20.0/24

This keeps your design within your 172.16.0.0/16 block while giving you dedicated subnets for each function.

Re: Enabling S2S VPN based tools accessible on Global Protect VPN

reaper — Thu, 22 May 2025 08:22:29 GMT

This is perfectly possible but does come with a bunch of caveats

you'll need to have the tunnel interface in the trust zone so the ip pool can be part of the same broadcast domain as the physical network (the firewall will take care of that if the interface is in the same zone)

your on-prem DHCP (firewall or AD typically) will need to have a blank reservation for the entire IP pool so it does not assign those IPs

alternatively: have you considered source NAT ?

That way you can have the ip pool be a non-verlapping subnet, put the tunnel interface in a different zone, and simply source-NAT outbound S2S connections behind an office IP