11-01-2017 03:23 PM
Hello
1-i have the router adsl with the public ip adresse : ex 41.137.11.123 (WAN interface) ==> this is a Public/fixe IP adresse.
2-i have a paloAlto firwall, is connected by its wan interface (192.168.1.2) to the local interface of the router adsl (192.168.1.1).
3-i follow this course to configure the GlobalProtect (https://live.paloaltonetworks.com/t5/Configuration-Articles/Basic-GlobalProtect-Configuration-with-U...). ==> this toturial is for configuring the (paloalto wan interface) as a portal and getway globalportal, it woking for me at this point.
Now what i need to know, is where i can configure the 41.137.11.123 (WAN interface of adsl router) for the (globalprotect portal) and (globalprotect getway).
Cos my need, is to get access to my (local network) from (my home), and to do this, i must use my public adresse ip 41.137.11.123, then how i can configure it in the globalprotect plz ??
Thanks very much for help !!
11-02-2017 12:19 AM
Depending on your adsl router you ether need to setup NAT or port forwarding.
if it’s a basic adsl router then go for port forwarding 41.137.11.123 to 192.168.1.2 on port tcp 443.
on the palo alto your untrusted default gateway needs to be 192.168.1.1.
your adsl documentation will advise on how to configure this.
your globalprotect tunnel will then run over ssl. If you want to use GP over ipsec or x-auth then you will need to add further port forwarding as above for udp 500 and udp 4501. But ssl 443 will work ok.
11-02-2017 03:29 AM - edited 11-02-2017 03:30 AM
Thank you very much for your replay brother!
ok let's say the adresse of the portal is https://192.168.1.2/global-protect/getsoftwarepage.esp
if i configure the port forwarding 41.137.11.123 to 192.168.1.2 on port tcp 443
1-can i access the portal from the external by https://41.137.11.123/global-protect/getsoftwarepage.esp ?
2-also in the (globalprotect agent) in client machine, all i need, is to put the the 41.137.11.123 in globalprotect agent ?
i asked this question cos i have a delay of 2hours before begin the configuring the adsl router
thanks a lot brother
11-02-2017 03:33 AM
1-can i access the portal from the external by https://41.137.11.123/global-protect/getsoftwarepage.esp ?
2-also in the (globalprotect agent) in client machine, all i need, is to put the the 41.137.11.123 in globalprotect agent ?
Yes to both but you will of course experience certificate warnings.
11-02-2017 03:34 AM
And on the PA portal configuration you will need to change the gateway to 41.137.11.123
11-03-2017 03:13 AM - edited 11-03-2017 03:19 AM
Hello brother MickBall.
i get this msg error in the first picture, plz see in the second picture and tell me wich certificate i must run it on globalprotct portal/getway
11-03-2017 03:27 AM
first of all you are getting a 404 error on browser.
did you try https://41.137.99.xx/global-protect/getsoftwarepage.esp.
get this working first to make sure port forwarding is working correctly.
11-03-2017 03:55 AM
yes i did , but also doesn't work, i think i must run the certificate created for the 41.137.99.xx in glbalprotect portal/getway ??
11-03-2017 04:00 AM
forget about the certificate for now.
your port forwarding is not working correctly.
you will be able to connect to the web portal with a bad or no certificate if you accept the warning.
so....
get the browser working first, then worry about the certificate later.
11-03-2017 04:42 AM
Miclball, yes you are right, it was a port forwording problem, also a ceritificate problem, i configured the port forwording, and i run the adsl wan interface certificate on globalprotect Portal&getway (cos it gave a certificate error).
Now i can connect to my local network from the external, but i can't get access to the ressources.
exemple i cant ping to 172.16.17.2 or 10.66.13.251
11-03-2017 05:02 AM
ok this could be for several reasons.
do you have a route on the PA to those networks you are trying to ping.
do you have a security policy that allows traffic from GP zone to internal networks zone.
do you have a route back from your pinged networks to your PA
maybe some more but just start with the above
11-03-2017 08:26 AM
thank you very brother you are the best 😘
it's working now
anyway i'll test some other config and lab if i need some help i'll contact you bro
Thanks a lot Mick
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
