SSL VPN (with Global Protect) and reserved IP for one user

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL VPN (with Global Protect) and reserved IP for one user

Not applicable

We use basic global protect functionality (no global protect licenses) to connect with SSL VPN. One of user (businnes owner) must have always the same IP address when he connect via SSL VPN. How can I resolve this? In global protect configuration isn't possible to reserve IP addresses for MAC address (like in DHCP server).

8 REPLIES 8

Not applicable

MAC addres reservations for DHCP work because the firewall gets teh DHCP request and can evaluate the MAC address. For such a feature to work for VPN users, the VPN client would have to sent it's MAC address as part of the authentication process. From the firewall's point of view, every VPN connection comes from the router's MAC address since they all come from outside.

I'm not aware of such a capability but perhaps someone else has a solution for this.

Hi,

One of my client has a similar requirement to reserve IP Address while connecting to Global protect SSL VPN.

Is it possible to achieve this?

Thanks.

L3 Networker

A form of this functionality can be obtained by configuring a user specific client configuration on your portal that points to a second external gateway.  The second gateway would be configured to only distribute one IP address.

This capability exists for the more common use case of defining specific user groups that might get different configurations and networks settings, so it doesn't really scale to doing this for dozens of individual IPs, but for a one-off it should work fine.

Hi drogers.

When I try to configure "Cliente Configuration" into Globalprotect Gateway with only one IP address, I obtain this message: "SSLVPN: Invalid IP pool value: X.X.X.X. Subnet is smaller than minimum allowed value 30." Is it not possible to configure only one IP in a pool? What is the reason for it?

Thank you very much.

Not applicable

I get the same problem for a customer of mine...

I get the same error when i try to allow a specific address in the IP Pool : "SSLVPN: Invalid IP pool value: X.X.X.X. Subnet is smaller than minimum allowed value 30."

Is there an issue or a patch for this problem ?

Thanks

Anyone ever get this working? Based on the responses I've got this still isn't possible and even having multiple gateways won't fix it.

L4 Transporter

Hi,

This is an expected error, the minimum subnet to create a gateway pool is /30. What you can try is to configure a pool in a different gateway just for that specific user. He will get the same IP address i.e. the 1st IP address from that pool every time he disconnects and connect back as there would be no other users who would be using that defined pool. This is just a workaround, what I would also suggest if you can do a feature request so that a user can be assigned a specific IP address based on HIP match, etc.

Thanks,

Khubaib Alavi

You can also operate NAT Source Translation on the pool. It was advised by a Palo Alto engineer to do it like that because it's not possible to allocate only one IP Address (what a simple PIX do 😞 )

  • 7012 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!