I see there is now support for Cisco Systems VPN Adaper however I am trying to figure out what exactly is supported am I now able to connect to the firewall via cisco IPSEC VPN from the Cisco VPN Client software or is this support for something else?
I ask as we have engineers that connect to many sites and global rotect is not geared this way.
I tried looking through the more recent Release Notes, and I was not able to find much on this.
Do you mind me asking where you saw that referenced? I have a partial answer, but want to wait your answer.
In the portal when I click Client Configuration I can add a third party adapter. So was not sure what that was in referance to.
If you have more info on it that would be great. I am still trying to get my head around global protect.
We use Cisco VPN Client 5.0 to connect to PA's. The Portal must be configured with the Cisco VPN Adapter being allowed, and the Gateway needs to use tunnel mode with XAuth (Group Name/Secret). Have you attempted connection with these settings?
It is possible that Cisco IPSEC clients with the XAUTH feature could work, but it is not tested or supported at this time for Windows, Linux or Mac-OS.
The other thing that I heard/read was that the routes for the desntination network may not show up, and as long as you are manually adding in the routes, then you might be OK.
Thanks for the info.
Any chance I can get some info on how this is done do you just create a portal with these settings or do you have to do the full global protect config?
although not officially supported, the Cisco VPN Client does work. It does not append the mask/gateway to your client, but you should still have no issues connecting to devices within your local network.
You must configure the Portal/Gateway under Network>GlobalProtect and use a tunnel interface placed inside the appropriate security zone. Remember to create/use your certificates appropriately and have them configured for use on the Gateway(certificate) and Portal(CA, and certificate).
Create a profile using your local interface (external) and local IP that you wish to use for VPN connectivity. Choose the standard certificate that is signed by the CA used in your Client Configuration, and choose your authentication methods. Under Client Configuration setup a profile using your external IP/mask for connectivity with Priority 1 and choose your Root CA.
Ensure that you have tunnel mode chosen and checked Enable IPSec, check Enable X-Auth Support (verify group name and group password), and check Skip Auth on IKE Rekey.
Choose your external Tunnel Gateway Interface and Address used for the VPN/Portal, and under Client configuration make sure you have your DNS, VPN IP-Pool, and Access Route configured.
Ensure that you have a rule above any blocking statements that allow ipsec, ike, ssl, web-browsing, and ciscovpn applications to your VPN Gateway IP.
Using Cisco VPN Client:
setup the connection profile with the Gateway IP, group name, and group password. Connect and enter your credentials.
If you have any issues, enter the log responses here.
I also configured PA to work with CISCO VPN Client and it works OK. The only problem is that the connection get expired after one hour and the client must reconnect. I can not find the setting to change this expiration time. Do you have any idea how to chang this life time ?
I have managed to configure the Cisco VPN client to work along-side our PA firewalls.
Much better client than Global Protect as it behaves like it should and works with corporate proxy settings as expected!
Thanks for the info.
which PAN-OS version? This bug was fixed in 4.0.8.
33542 – SSL VPN user to IP mappings are being lost after about an hour in an HA configuration when the mappings do not contain information. Issue due to idle timeout and maximum ttl not matching the expiration ttl of the SSL VPN connections.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!