topic Re: How to setup multiple SSL-VPN tunnels in General Topics

How to setup multiple SSL-VPN tunnels

simonbrazil — Mon, 29 Aug 2011 22:25:49 GMT

I'm hoping I'm missing something obvious here...is there a good way to support SSL-VPN access for different types of users who require different access and use different authentication schemes?

I am trying to setup multiple SSL-VPN tunnel configurations for different types of users. Initially, I was hoping to use a single SSL-VPN configuration and simply differentiate by user. However, it doesn't appear that PAN is setup in this fashion. My goal is to support different users have different authentication schemes and require different access (Employees versus Contractors).

So, I set out to create a second SSL-VPN tunnel configuration. Unfortunately, I have hit a problem I don't know how to overcome:

* First, I had to create a separate SSL-VPN tunnel to support different authentication profiles (Radius AND LocalDB) as well as to control access differently for each group.

* Second, I had to create the new User Profiles

* Third, to create a new SSL-VPN tunnel, I have to create a new tunnel interface and associate it with my zone of choice

* Fourth (and this is the issue), I had to create a new IP address on my external interface. This is because I can't use the same IP address on the same external interface as is already used in the first SSL-VPN. (This is the selection on the "Choice" option of the "Gateway Address" configuration section in the Add/Edit SSL VPN dialog window).

However, this fourth step is not possible (at least in my environment). I can't add a secondary address to the external interface in the same network as the first address (192.168.1.1/24 and 192.168.1.2/24 for example). And, since I don't have another network of addresses to use on the external interface, I am stuck.

Any ideas?

Thanks!

Re: How to setup multiple SSL-VPN tunnels

bpappas — Mon, 29 Aug 2011 23:19:42 GMT

@simonbrazil:

1. PAN-OS 4.0 supports the use of multiple authentication types on one SSL-VPN

2. addressed by using allowed user lists in an authentication profile

3. unnecessary if you are taking advantage of #1

4. also obviated by #1 and the ability to specify a set of authentication types to try on a single SSL VPN setup.

-Benjamin

Re: How to setup multiple SSL-VPN tunnels

simonbrazil — Tue, 30 Aug 2011 20:47:14 GMT

Thanks! Took a few minutes to figure out how to do it, so for anyone else interested:

Create an Authentication Sequence with the selected user profiles. The Authentication Sequence object is then selectable on the SSL-VPN configuraiton. This will attempt to authenticate the user against each profile in the selected order.

However, I am still falling short of my goal. I have now successfully permitted both user groups, using different authentication mechanisms, to access the same networks through the SSL-VPN. But, I want to control their access uniquely. Since they belong to the same SSL-VPN, get dropped into the same zone, etc, I don't see a way to limit their access.

I have not yet tried defining users in the security policy rules because one of the goups is for a large group of RADIUS users where I have not previously had to define each user manually in the system and I am hoping to avoid that. Without defining them, it does not appear possible to select a UserProfile in the user column of the security policy. And, I don't even know if it would work. Does the username used to authenticate to the SSL-VPN get passed to the security policy for access verification based on user filtering in the policy?

Thanks again for the quick answer...any tips on further controlling access to the different groups of users?

Re: How to setup multiple SSL-VPN tunnels

pkruse — Wed, 31 Aug 2011 18:07:37 GMT

Please look at the attached file and tell me, is this the setup your describing?

If yes there is not a good reason for dropped packets originating from or destine for the broadcast domain local to your inside interface. Configuration would be the logical area to review and viewing the system logs may reveal any proxy id issues. If you are unable to resolve this problem in a timely manner on your own I would direct you to open a case with support so that can help you resolve your problem quickly and efficiently.

Thank you,

Phil

~Phil

Re: How to setup multiple SSL-VPN tunnels

simonbrazil — Wed, 31 Aug 2011 18:41:03 GMT

Phil,

I don't think this response was meant for this thread.

Thanks

Re: How to setup multiple SSL-VPN tunnels

Retired Member — Wed, 31 Aug 2011 20:08:04 GMT

For #4, have you tried setting up a loopback interface? For example, if your ethernet1/1 interface has IP address 192.168.1.1/24, create an interface called loopback.2 with IP address 192.168.1.2/24 and configure the second SSL VPN to use interface loopback.2.