topic Re: SSL VPN (with Global Protect) and reserved IP for one user in General Topics

SSL VPN (with Global Protect) and reserved IP for one user

darkfibre — Thu, 17 May 2012 12:55:42 GMT

We use basic global protect functionality (no global protect licenses) to connect with SSL VPN. One of user (businnes owner) must have always the same IP address when he connect via SSL VPN. How can I resolve this? In global protect configuration isn't possible to reserve IP addresses for MAC address (like in DHCP server).

Re: SSL VPN (with Global Protect) and reserved IP for one user

npare — Thu, 17 May 2012 16:37:22 GMT

MAC addres reservations for DHCP work because the firewall gets teh DHCP request and can evaluate the MAC address. For such a feature to work for VPN users, the VPN client would have to sent it's MAC address as part of the authentication process. From the firewall's point of view, every VPN connection comes from the router's MAC address since they all come from outside.

I'm not aware of such a capability but perhaps someone else has a solution for this.

Re: SSL VPN (with Global Protect) and reserved IP for one user

support.sec — Wed, 27 Jun 2012 10:27:26 GMT

Hi,

One of my client has a similar requirement to reserve IP Address while connecting to Global protect SSL VPN.

Is it possible to achieve this?

Thanks.

Re: SSL VPN (with Global Protect) and reserved IP for one user

drogers — Thu, 28 Jun 2012 16:37:11 GMT

A form of this functionality can be obtained by configuring a user specific client configuration on your portal that points to a second external gateway. The second gateway would be configured to only distribute one IP address.

This capability exists for the more common use case of defining specific user groups that might get different configurations and networks settings, so it doesn't really scale to doing this for dozens of individual IPs, but for a one-off it should work fine.

Re: SSL VPN (with Global Protect) and reserved IP for one user

jmrodriguez — Tue, 10 Jul 2012 13:30:19 GMT

Hi drogers.

When I try to configure "Cliente Configuration" into Globalprotect Gateway with only one IP address, I obtain this message: "SSLVPN: Invalid IP pool value: X.X.X.X. Subnet is smaller than minimum allowed value 30." Is it not possible to configure only one IP in a pool? What is the reason for it?

Thank you very much.

Re: SSL VPN (with Global Protect) and reserved IP for one user

jonathan_delannoye — Tue, 21 Aug 2012 08:55:55 GMT

I get the same problem for a customer of mine...

I get the same error when i try to allow a specific address in the IP Pool : "SSLVPN: Invalid IP pool value: X.X.X.X. Subnet is smaller than minimum allowed value 30."

Is there an issue or a patch for this problem ?

Thanks

Re: SSL VPN (with Global Protect) and reserved IP for one user

jmahoney — Thu, 04 Oct 2012 18:02:29 GMT

Anyone ever get this working? Based on the responses I've got this still isn't possible and even having multiple gateways won't fix it.

Re: SSL VPN (with Global Protect) and reserved IP for one user

kalavi — Fri, 05 Oct 2012 04:20:56 GMT

Hi,

This is an expected error, the minimum subnet to create a gateway pool is /30. What you can try is to configure a pool in a different gateway just for that specific user. He will get the same IP address i.e. the 1st IP address from that pool every time he disconnects and connect back as there would be no other users who would be using that defined pool. This is just a workaround, what I would also suggest if you can do a feature request so that a user can be assigned a specific IP address based on HIP match, etc.

Thanks,

Khubaib Alavi

Re: SSL VPN (with Global Protect) and reserved IP for one user

jonathan_delannoye — Fri, 05 Oct 2012 07:27:21 GMT

You can also operate NAT Source Translation on the pool. It was advised by a Palo Alto engineer to do it like that because it's not possible to allocate only one IP Address (what a simple PIX do 😞 )