Deploying GlobalProtect with an Internal IP Behind an Edge Internet Device

Printer Friendly Page

Issue

GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device:

 

Resolution

Topology:

Internal Network > PAN ( 192.168.10.2/24) > (192.168.10.1/24) Internet Router (2.2.2.2/24)---(2.2.2.1/24) ISP

 

Setup instructions:

  1. In the above setup, the Edge Internet Router (2.2.2.2) is performing NAT to the PAN's untrust interface (192.168.10.1). This could also be accomplished via DynDNS in some home/small office environments where the Internet Router is assigned  a dynamic IP address from the ISP but via DynDNS always resolves to the latest Dynamic public address received by the Internet router.

    For example,  homexyz.dyndns.com ->resolves to 2.2.2.2 or to the latest Dynamic public address received by the Internet router.

  2. In such an implementation, the GlobalProtect Portal and GlobalProtect Gateway would be set up on the PAN untrust interface with IP address 192.168.10.2, as shown in the screen shots below:
    4-28-16-gp1.png
    4-28-16-gp2.png

  3. However, the Client Configuration section under the Portal needs to have the public IP addresses/FQDNs of the edge device as illustrated in the screen shot below.  This list of gateways gets pushed to the PC which will try to tunnel and connect to them.

 

owner: achitwadg

Comments

Hi,

I've configured as stated but the GP client stays on connecting.

In the logs , i see network discover is not successful. Is this related to the certificate?

Also, should the certificate be signed by a CA?

Thanks

Is there a NAT in place somewhere? My public IP for the portal gw doesnt respond.