https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25866#M18872 <HTML><HEAD></HEAD><BODY><P>hi Kelly.</P><P></P><P>The DMZ is a public routable IP address, so it should be dead easy.</P><P></P><P>I just wasn't sure what I'd need to let in from outside to the destination IP address - now I do.</P><P></P><P>Thanks for your help, and I can go away and set it up now.</P><P></P><P>Cheers!</P></BODY></HTML> Thu, 25 Nov 2010 05:41:36 GMT dagibbs 2010-11-25T05:41:36Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25862#M18868 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P></P><P>I run a pair of PA 2050's on my internet edge, and currently use them for terminating an SSL VPN for staff to remote access internal resources.</P><P></P><P>I want to put in a second SSL VPN, different IP range, different security zone, much more restricted for contractors/external support staff so I can let them logon and access specific services without giving carte blanche access to the rest of the network.</P><P></P><P>I tried building another SSL VPN and setting it up on the same external IP (our outside interface), but the OS wouldn't allow me to do so.</P><P></P><P>Is this possible? Or is there some workaround? Can I use an IP address on another interface (a DMZ) to terminate the second SSl VPN and just have the external staff login to that instead of the main one?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 25 Nov 2010 01:57:34 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25862#M18868 dagibbs 2010-11-25T01:57:34Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25863#M18869 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>Yes, this is possible.&nbsp; You can configure multiple SSL VPN Portals on the device but they need to be bound to different IP addresses.&nbsp; One Portal would be for your corporate users and one would be for your external contractors.</P><P></P><P>You can use any L3 interface or sub-interface, including loopbacks and VLAN Interfaces, to bind the SSL VPN Portals.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 25 Nov 2010 02:14:47 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25863#M18869 kbrazil 2010-11-25T02:14:47Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25864#M18870 <HTML><HEAD></HEAD><BODY><P>Kelly.</P><P></P><P>OK, so I've got an available IP address on a DMZ interface which is "inside" the normal external address - what security policy would I need to put in place to allow a VPN to terminate on this address? Being that this interface is in the "DMZ" zone?</P><P></P><P>Or would an interface management profile allowing http/https be sufficient to allow this to work?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 25 Nov 2010 02:21:22 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25864#M18870 dagibbs 2010-11-25T02:21:22Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25865#M18871 <HTML><HEAD></HEAD><BODY><P>If the IP address in the DMZ is a publicly routable address, then this should be pretty straightforward.&nbsp; You would have a policy from Untrust to DMZ zones allowing any IP to the SSL VPN IP.&nbsp; You would allow SSL, IKE, and IPSEC-ESP-UDP to the IP.</P><P></P><P>If the IP address is private then you will need a NAT policy in addition to the above Security policy.&nbsp; The NAT policy will be an out-bound source-nat from the SSL VPN IP out to the internet (DMZ to Untrust zone).&nbsp; Make sure the check the "bi-directional" checkbox on the source-nat translation window and you should be set.&nbsp; Put this rule at the top of the NAT policy in case there are other out-bound NAT rules that might take precedence.</P><P></P><P>Of course you will then need your DMZ to Trust security policies to allow the contractors limited access to the internal resources once the tunnel is established.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 25 Nov 2010 04:07:59 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25865#M18871 kbrazil 2010-11-25T04:07:59Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25866#M18872 <HTML><HEAD></HEAD><BODY><P>hi Kelly.</P><P></P><P>The DMZ is a public routable IP address, so it should be dead easy.</P><P></P><P>I just wasn't sure what I'd need to let in from outside to the destination IP address - now I do.</P><P></P><P>Thanks for your help, and I can go away and set it up now.</P><P></P><P>Cheers!</P></BODY></HTML> Thu, 25 Nov 2010 05:41:36 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25866#M18872 dagibbs 2010-11-25T05:41:36Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25867#M18873 <HTML><HEAD></HEAD><BODY><P>Hey there,</P><P></P><P>I think my brain was out to lunch - no need for IKE with SSL VPN. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>After some digging, here are the correct Apps and Ports to allow for SSL VPN:</P><P></P><UL><LI><STRONG>web-browsing</STRONG> app-id: this is because the PAN sees the decrypted SSL traffic when the user logs in via the web portal.&nbsp; This will be on <STRONG>TCP port 443</STRONG>.&nbsp; you may optionally wish to allow this on <STRONG>TCP port 80</STRONG> (in addition to port 443) to allow redirects to port 443 for the user's convenience when they attempt to log into the web portal.</LI></UL><P></P><UL><LI><STRONG>ssl</STRONG> app-id: this is if the user starts the VPN without using the web portal.&nbsp; Also, if SSL transport is being used for the VPN, the tunnel traffic will use this app-id.&nbsp; This will be on <STRONG>TCP port 443</STRONG></LI></UL><P></P><UL><LI><STRONG>ipsec-esp-udp</STRONG> app-id:&nbsp; this is the how the tunnel traffic will be identified if the IPSEC option is used and successfully negotiated during the session.&nbsp; This will be on <STRONG>UDP port 4501</STRONG></LI></UL><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 25 Nov 2010 20:02:11 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ssl-vpn-tunnels-to-same-endpoint-possible/m-p/25867#M18873 kbrazil 2010-11-25T20:02:11Z