Clientless VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Clientless VPN

L3 Networker

Hi All,

 

can someone provide configuration example for Clientless VPN access through GP portal...
I was already used configuration steps explained on this page, but seem that it not helped in my case. I'm able to authenticate and open portal landing page with published app, but there is no response of it. I'm pretty sure that all steps of configuration is by the book, but I'm not sure about step 10 where have to create security rules... With my opinion it is a bit grayed and confused, how exactly policies has to be created.
If someone have this operational, it could be very appriciated to share configuration with us...

 

P.S. I used troubleshooting procedure provided here and after generated logs and pcap's, only strange I can find is:

 


Cannot de-NAT v4 packet, no port match

== 2017-08-15 10:49:11.393 +0200 ==
Packet received at ingress stage, tag 262143, type ORDERED
Packet info: len 91 port 16 interface 256 vsys 1
wqe index 229186 packet 0x0x800000041da465c2, HA: 0
Packet decoded dump:
L2: 00:1b:17:4c:8f:10->00:70:76:69:66:00, type 0x0800
IP: 89.x.x.x (portal public IP)->10.x.x.x(dns internal) , protocol 17
version 4, ihl 5, tos 0x00, len 73,
id 44114, frag_off 0x4000, ttl 64, checksum 63738(0xf8fa)
UDP: sport 54788, dport 53,

 

It looks like that portal ask internal dns (DNS proxy) for resolution of published url app, but has this "de-NAT port not match" issue. Seem that packet flow after establishing initial vpn connection to portal, enforce NAT policy stage....  

 

PANOS 8.0.4

 

5 REPLIES 5

L3 Networker

Have you tasted that on PAN-OS 8.0.5?

no, but I'll try this days and post results...

L2 Linker

I agree.  Step 10 is confusing.  I want to create a seperate zone for clientless VPN, but what interface do I assign it to?  Doesn't seem possible to use a tunnel interface.   Do I not assign the zone to an interface?

 

If I use the untrust/outside zone then the policy doesn't really make sense.  Do I allow access from the "internet" to my internal resources?  How about DNS proxy?  The documentation around this piece is poor at best.  

L3 Networker

did you guys get what you where looking for?

L3 Networker

@Tician did you get this working?

  • 5336 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!