Configure GlobalProtect With Public IP adresse

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configure GlobalProtect With Public IP adresse

L2 Linker

Hello

 

1-i have the router adsl with the public ip adresse : ex 41.137.11.123 (WAN interface) ==> this is a Public/fixe IP adresse.

2-i have a paloAlto firwall, is connected by its wan interface (192.168.1.2) to the local interface of the router adsl (192.168.1.1).

 

3-i follow this course to configure the GlobalProtect (https://live.paloaltonetworks.com/t5/Configuration-Articles/Basic-GlobalProtect-Configuration-with-U...). ==> this toturial is for configuring the (paloalto wan interface) as a portal and getway globalportal, it woking for me at this point.

 

Now what i need to know, is where i can configure the 41.137.11.123 (WAN interface of adsl router) for the (globalprotect portal) and (globalprotect getway).

 

Cos my need, is to get access to my (local network) from (my home), and to do this, i must use my public adresse ip 41.137.11.123, then how i can configure it in the globalprotect plz ??

 

Thanks very much for help !!

11 REPLIES 11

L7 Applicator

Depending on your adsl router you ether need to setup NAT or port forwarding.

 

if it’s a basic adsl router then go for port forwarding 41.137.11.123 to 192.168.1.2 on port tcp 443.

 

on the palo alto your untrusted default gateway needs to be 192.168.1.1.

 

your adsl documentation will advise on how to configure this.

 

your globalprotect tunnel will then run over ssl. If you want to use GP over ipsec or x-auth then you will need to add further port forwarding as above for udp 500 and udp 4501. But ssl 443 will work ok. 

Thank you very much for your replay brother!

ok let's say the  adresse of the portal is https://192.168.1.2/global-protect/getsoftwarepage.esp

if i configure the port forwarding 41.137.11.123 to 192.168.1.2 on port tcp 443

1-can i access the portal from the external by https://41.137.11.123/global-protect/getsoftwarepage.esp ?

2-also in the (globalprotect agent) in client machine, all i need, is to put the the 41.137.11.123 in globalprotect agent ?

 

i asked this question cos i have a delay of 2hours before begin the configuring the adsl router

 

thanks a lot brother

1-can i access the portal from the external by https://41.137.11.123/global-protect/getsoftwarepage.esp ?

2-also in the (globalprotect agent) in client machine, all i need, is to put the the 41.137.11.123 in globalprotect agent ?

 

Yes to both but you will of course experience certificate warnings.

And on the PA portal configuration you will need to change the gateway to 41.137.11.123 

Hello brother MickBall.

i get this msg error in the first picture, plz see in the second picture and tell me wich certificate i must run it on globalprotct portal/getway

 

1.jpg2.jpg

first of all you are getting a 404 error on browser.

did you try https://41.137.99.xx/global-protect/getsoftwarepage.esp.

 

get this working first to make sure port forwarding is working correctly.

yes i did , but also doesn't work, i think i must run the certificate created for the 41.137.99.xx in glbalprotect portal/getway ??

forget about the certificate for now.

 

your port forwarding is not working correctly.

 

you will be able to connect to the web portal with a bad or no certificate if you accept the warning.

 

so....

 

 get the browser working first, then worry about the certificate later.

Miclball, yes you are right, it was a port forwording problem, also a ceritificate problem, i configured the port forwording, and i run the adsl wan interface certificate on globalprotect Portal&getway (cos it gave a certificate error).

Now i can connect to my local network from the external, but i can't get access to the ressources.

exemple i cant ping to 172.16.17.2 or 10.66.13.251

3.jpg

 

ok this could be for several reasons.

 

do you have a route on the PA to those networks you are trying to ping.

do you have a security policy that allows traffic from GP zone to internal networks zone.

do you have a route back from your pinged networks to your PA

 

maybe some more but just start with the above

 

thank you very brother you are the best 😘

it's working now

anyway i'll test some other config and lab if i need some help i'll contact you bro

 

Thanks a lot Mick

  • 8717 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!