topic Re: GlobalProtect with NATet interface in General Topics

GlobalProtect with NATet interface

tormodhope — Wed, 05 Feb 2014 19:36:47 GMT

I have a PA200, and is using eth1 for outside (internet) and eth2 for inside. I'm NATing from eth2 to eth1, as normal.

Now i want to have the management https address on the eth1 for several reasons.

At home its just for testing, but at my office i have PA200 between subnets that is duplicate, and not nessesary to route to.

When i use a management profile with access to ping and https on eth1, it wont't work.

I suspect the NAT rule has something to do with it. Cause when i set it up in my lab with no NAT, it works.

Any tips for me please?

Re: GlobalProtect with NATet interface

tormodhope — Wed, 05 Feb 2014 19:56:45 GMT

I got it working with a DNAT against the outside ip address. But is this needed?

Is there another way doing it? The IP is public and facing internet, i though a management profile would open anyway.

Re: GlobalProtect with NATet interface

JimS2 — Fri, 07 Feb 2014 19:53:05 GMT

This is working as expected. If you are NATing 443 from the outside to an inside server you loose access to the management page. You can set up a loopback and NAT another port to 443 on the loopback with an management profile that allows HTTPS.

Re: GlobalProtect with NATet interface

Phoenix — Fri, 07 Feb 2014 20:25:23 GMT

tormodhope

May be you are experiencing the land attack. When we access the external interface from outside the source will be external host public IP and destination will be your external interface IP. When the return traffic is sent out ( server to client s2c ) it exchanges the source and destination and gets stuck seeing the source and destination the same considers a land attack and drops.

If you do

"show counter global filter delta yes | match land"

If the counters are seen then that would prove it. We will have to change the nat slightly and it should start to work.

Details are mentioned in the below doc:

Unable to Connect to or Ping a Firewall Interface

Hope this helps !

Re: GlobalProtect with NATet interface

Retired Member — Fri, 07 Feb 2014 22:43:56 GMT

How to Access the WebUI when GlobalProtect Is Enabled

Your subject is about GP so just to remind you.

Re: GlobalProtect with NATet interface

tormodhope — Mon, 10 Feb 2014 08:33:56 GMT

I dont NAT anything from untrust to trust, i only have a overload nat from trust to untrust.

But it seams that it blocks everything, including ping, and https (thats why the GP wont connect).

Re: GlobalProtect with NATet interface

tormodhope — Mon, 10 Feb 2014 08:43:08 GMT

Thanks! I'll try that later today.

I got ping working if i add a roule thats like this:

0.0.0.0/0 is just there to mas my origin public ip. The other rule is gone, as this is a test box at work.

Re: GlobalProtect with NATet interface

Retired Member — Mon, 10 Feb 2014 09:08:57 GMT

This rule is not a need but your other NAT rules are important.you have any other NAT rule with source zone any ?

or just 1 NAT rule from trust to untrust ?

Re: GlobalProtect with NATet interface

tormodhope — Mon, 10 Feb 2014 09:16:17 GMT

Since im not home now, i cant confirm, but yes, i might have to rule setup with source any, and not pined down to my trust zones.

This is bad practice, i know. But is that the problem? I'll doublecheck when i get home.

The rule might be like this one, with source any.

Re: GlobalProtect with NATet interface

Retired Member — Mon, 10 Feb 2014 09:19:34 GMT

Yes it will be a problem as Phoenix said.

Try to change it with Trust and then test again.