topic Re: GlobalProtect when Palo behind ASA in General Topics

GlobalProtect when Palo behind ASA

Hayden-Searle — Tue, 12 Feb 2019 21:29:18 GMT

Hi All

I've been tasked with getting GP working and as I'm not as skilled as many of you, I thought I'd ask the brains trust if this is possible.

We have a PA-3020 which sits behind a Cisco ASA. The ASA is the edge firewall and is a yes/no gateway, the PA then filters the requests based on port and destination.

This config isnt changing in the short term, although I have from a reddit discussion started the ball rolling on replacing the ASA, so I am trying to understand how the config would work to let the traffic flow through the ASA to the PA to terminate the VPN.

I'm no expert on either technology, but opinions and thoughts would be greatly appreciated

Re: GlobalProtect when Palo behind ASA

BPry — Wed, 13 Feb 2019 02:38:22 GMT

@Hayden-Searle,

So to understand things a bit more is your NAT process taking place on the ASA or does your Palo Alto firewall have a Public IP and a No-NAT rule configured on the ASA?

Re: GlobalProtect when Palo behind ASA

Hayden-Searle — Wed, 13 Feb 2019 02:45:56 GMT

Apologies, I should have mentioned that. NAT is all taking place on the ASA at the moment.

Re: GlobalProtect when Palo behind ASA

BPry — Wed, 13 Feb 2019 02:49:37 GMT

@Hayden-Searle,

The the last remaining question really is if you have everything behind a sole public IP or if you have one that you could assign solely to the GlobalProtect configuration.

Re: GlobalProtect when Palo behind ASA

Hayden-Searle — Wed, 13 Feb 2019 03:07:42 GMT

I believe we have a separate one just for GlobalProtect, but if not and it would make this easier, then I will request the business gets one

Re: GlobalProtect when Palo behind ASA

BPry — Wed, 13 Feb 2019 04:17:08 GMT

@Hayden-Searle,

This should be relatively easy then. Assign the public IP to a new interface on your Palo Alto firewall and configure GlobalProtect as you would normally. Then on the ASA simply allow the traffic and make sure that a NO-NAT statement is applied for that public address to ensure that the ASA doesn't attempt to NAT the traffic.

Re: GlobalProtect when Palo behind ASA

Hayden-Searle — Wed, 13 Feb 2019 05:14:56 GMT

Thats what I was thinking but didnt think it would be that simple, or that it would necessarily work that way. I didnt want to put my thoughts out there as sometimes it can send the conversation in a different direction.

I'll get onto the ruleset for it tomorrow starting with the Palo Alto. Thank you for the input, I appreciate it

Re: GlobalProtect when Palo behind ASA

Hayden-Searle — Fri, 15 Feb 2019 00:54:37 GMT

Sorry one more thing I've just learnt that is throwing a spanner in the works. The Palo is in Vwire mode. i understand I must have a Layer 3 IP'd interface for GlobalProtect, I'm just wondering what can of worms I'm getting in to and whether it would be easier to replace the ASA with a new PaloAlto just for Edge traversal and GlobalProtect and leave the existing PaloAlto in vwire mode?

Re: GlobalProtect when Palo behind ASA

BPry — Fri, 15 Feb 2019 03:39:14 GMT

@Hayden-Searle,

Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device.

Re: GlobalProtect when Palo behind ASA

Hayden-Searle — Sun, 17 Feb 2019 23:39:14 GMT

Thanks for all your responses. I appreciate it. Let the learning curve begin 🙂