topic Re: GlobalProtect Portal has a problem with DHCP Ext interface in General Topics

GlobalProtect Portal has a problem with DHCP Ext interface

jwolach — Mon, 15 Oct 2012 19:48:37 GMT

I'm hoping that someone from PAN Support or Development can answer this question. I have been fighting with this for weeks now and have narrow the problem down to the GP Portal service.

Scenario

I have a PA-200 in my lab with two Layer3 interfaces defined. The Internal L3 interface has a Static IP for the local network, while the other L3 interface gets it's IP Dynamically from the Comcast ISP. I configured my GlobalProtect Portal & External Gateway to use the L3 interface that is dynamically addressed. From the Public side, users can access the Portal and Gateway just fine. From the local network, users cannot access the Portal or Gateway, even though I have configured my Source-NAT to not NAT traffic sourced from the LAN destined for the Public IP address. Now, here's where it gets weird. I have other computers on my local network that have Public DNS names, so I've created U-Turn NATs to access these devices. Everything works great! I even took away the GP Portal & Gateway from the Public IP interface and tried NATting traffic for the Portal & Gateway to Loopback addresses. Same problem, even worst. Not even users from the Public side can connect to the Portal & Gateway while the Public IP is dynamically assigned. When I make the Public interface a Static IP address everything, including the GP Portal & Gateway NATted to the loopback works great.

There seems to be an issue with the GP Portal & Gateway service when trying to connect if the IPs are dynamically assigned on the interface they are bound to or being NATted from.

Can someone in PAN Support or Development please shed some light on this issue?

Thanks,

Jeff

Re: GlobalProtect Portal has a problem with DHCP Ext interface

mikand — Tue, 16 Oct 2012 02:30:20 GMT

Just to clearify regarding your user from local network, that is not to reach users on the public network but rather setup a VPN (or whatever) towards the portal-ip just like the public users?

If its the later - what about if your local users connect to the internal L3 ip instead?

You should be able to deal with this by the help of the dns.

If the user is externally then your external authoritive dns-server will reply to "vpn.example.com" with the external ip. But when they are on the inside your internal authoritive dns-servers (or if you have the same hardware for both cases then use views in your dnsserver) will reply to "vpn.example.com" with the internal ip.

Re: GlobalProtect Portal has a problem with DHCP Ext interface

jwolach — Wed, 17 Oct 2012 00:28:53 GMT

Hi,

Thanks for the suggestion. However, this is a workaround and not a solution to a problem with the PAN OS. I really would like to find out why I have a problem with a DHCP addressed interface and not a Statically addressed interface.

Thx

Jeff

Re: GlobalProtect Portal has a problem with DHCP Ext interface

mikand — Wed, 17 Oct 2012 09:05:09 GMT

I dont know if its the case you are facing but a solution for a similar question was to remove the ip address you specify in the portal configuration (in the PA box).

Re: GlobalProtect Portal has a problem with DHCP Ext interface

jwolach — Wed, 17 Oct 2012 10:34:46 GMT

I'm not sure what you mean. When you configure the Portal interface to be a L3 interface that's dynamically addressed the IP address is already set to None. Could you please elaborate?

Re: GlobalProtect Portal has a problem with DHCP Ext interface

mikand — Wed, 17 Oct 2012 20:49:04 GMT

Sorry for the confusion... I was most likely thinking of the stuff you already have done (the same stuff as described in )