topic Re: VSYS with Shared Gateway and Existing Global Protect in General Topics

VSYS with Shared Gateway and Existing Global Protect

jeff6strings — Fri, 26 Jan 2018 15:13:36 GMT

We have a 3050 with one VSYS and is connected to an ISP with one IP address as we also use this VSYS for user VPN (Global Protect). All is working fine but we will be adding another VSYS to segregate another department’s Internet traffic. I would like both VSYS to share the same Internet and IP but I’m concerned if I read correctly about our existing Global Protect VPN configuration and the Shared Gateway being a problem.

I appreciate any help or insight.

Jeff

Re: VSYS with Shared Gateway and Existing Global Protect

jeff6strings — Tue, 30 Jan 2018 17:47:12 GMT

Bumping for any help.

Thank you.

Jeff

Re: VSYS with Shared Gateway and Existing Global Protect

BrianRa — Tue, 30 Jan 2018 18:05:43 GMT

Jeff,

You are correct that there can only be one VPN Profile/Gateway per IP (I believe it is just the gateway side).

I am not an expert at making VSYS interact with eachother properly but from what you are describing (and having a 3050) it may make more sense to put the GP on its own VSYS and setup multiple profiles within both the GP Profile & Gateway to force different departments to different traffic (we use Group Policy for allowing VPN access). The bottom line with GP is that you allow access to connect but it is the security rules that allow access to different components so using the same VPN but different AD groups with security rules and GP Profile/Gateway rules will allow you to limit both what IPs are displayed and what they are allowed to access.

Brian