topic Re: Global protect with loopback ip address and port number in General Topics

Global protect with loopback ip address and port number

Radmin_85 — Mon, 05 Nov 2018 19:13:46 GMT

Hello all

We have one public IP address and two groups of users who must connect to Head Office but get different policies

We decide to use loopback ip address and NAT it to the public one but with different port (for example loopback ip 1.1.1.1 and public ip is 85.10.10.1 and we NATed 85.10.10.1:446 to 1.1.1.1:443)

but when client try to connect to public IP with that port it says :This address was not found

is there any guide how to realize it correctly?

Re: Global protect with loopback ip address and port number

OtakarKlier — Mon, 05 Nov 2018 19:42:06 GMT

Hello,

Just another thought on this, what about using AD groups and a VPN zone? This way you can have your different levels of acess using the AD groups.

Just a thought.

Re: Global protect with loopback ip address and port number

BPry — Mon, 05 Nov 2018 21:39:02 GMT

@Radmin_85,

There are a number of guides on using a loopback address for a GP connection, one of which is a knowledge base article HERE, which further details an article more directly about using a different port for GP.

As @OtakarKlier mentioned though I'm really not sure you need a whole new portal for this short of an unmentioned requirement. You could do what was mentioned and use different AD groups and build policies that focus on those users, or you could simply use the user-id to give both set of users a different ip-pool and build the policies further seperated by different ip-pools.

Personally I would recommend assigning the two groups different IPs, and then still yet using user-id in the security policies to actually grant them access to things. This ensures that you have multiple layers of security for any important aspect of your environment.

Re: Global protect with loopback ip address and port number

Radmin_85 — Wed, 07 Nov 2018 07:05:15 GMT

Is there a guide how to configure it with groups?

Re: Global protect with loopback ip address and port number

Radmin_85 — Mon, 12 Nov 2018 08:15:47 GMT

we did it but it seems dont work correctly

Re: Global protect with loopback ip address and port number

aleksandar.astardzhiev — Mon, 12 Nov 2018 13:02:01 GMT

If your only purpose is to have different policy for the two user groups I would suggest you to use different approach insteead of playing with loopbacks, NATs, ports and etc.

How do you authenticate users: Is it LDAP, local, RADIUS?

The simple solution with local users would be:

1 Create users locally and add them in local user-groups
2 Create Auth profile and select type local, add the two user-groups to allow list
3 Configure global-protect portal as usual

4 configure global-protect gateway and under client setting configure two profiles, matching the loca user-groups. The tricky part here is that you need to use different pools for the two groups. But you can have the split-tunnel settings different for each group (ex. group A should access only to 10.0.0.0/24 while group B only to 172.16.0.0/24)
5 configure two security rules filtering on source user-group and put each group in separate rule.

You can choose to skip fourth step and configure one client setting profile for both groups, that way all users will receive same routes through the tunnel, but the policy will decide if the traffic should be indeed allowed or rejected.

AD authentiation over LDAP is pretty much similar, but you need additional steps to create group-mapping profile so the firewall can get the AD user group membership.

Re: Global protect with loopback ip address and port number

Radmin_85 — Mon, 12 Nov 2018 13:37:48 GMT

Hello

Alexander

Yes the authentication is via LDAP

Thanks we will try ones more

Re: Global protect with loopback ip address and port number

Radmin_85 — Wed, 14 Nov 2018 08:19:54 GMT

Ok we could resolve this solution

But one more point

When the worker connect to corporate network through GP at home with user-logon option it is ok

But when that worker returns to workplace with the same corporate notebook it still remains in GP network

Is it possible to force the PA or GP agent to recognize the internal network when one plugged in the ethernet cable in workplace and dont connect through GP agen with user-logon option?

Re: Global protect with loopback ip address and port number

BPry — Fri, 16 Nov 2018 19:59:50 GMT

@Radmin_85,

Unless they properly disconnect from within the agent, the agent will attempt to reconnect to the portal once the laptop is turned on again. There is an option called 'Automatic Restoration of VPN Connection Timeout' that by default is enabled and set to 30 minutes,however I've never gotten this option to work correctly when working on a mac OS machine. Try setting this option to '0' to disable the resilient VPN behavior and see if that helps things, it should.