Global protect with loopback ip address and port number

Reply
Highlighted
L4 Transporter

Global protect with loopback ip address and port number

Hello all

We have one public IP address and two groups of users who must connect to Head Office but get different policies

We decide to use loopback ip address and NAT it to the public one but with different port (for example loopback ip 1.1.1.1 and public ip is 85.10.10.1 and we NATed 85.10.10.1:446 to 1.1.1.1:443)

but when client try to connect to public IP with that port it says :This address was not found

is there any guide how to realize it correctly?

 

Highlighted
L7 Applicator

Re: Global protect with loopback ip address and port number

Hello,

Just another thought on this, what about using AD groups and a VPN zone? This way you can have your different levels of acess using the AD groups.

 

Just a thought.

Highlighted
L7 Applicator

Re: Global protect with loopback ip address and port number

@Radmin_85,

There are a number of guides on using a loopback address for a GP connection, one of which is a knowledge base article HERE, which further details an article more directly about using a different port for GP. 

As @OtakarKlier mentioned though I'm really not sure you need a whole new portal for this short of an unmentioned requirement. You could do what was mentioned and use different AD groups and build policies that focus on those users, or you could simply use the user-id to give both set of users a different ip-pool and build the policies further seperated by different ip-pools. 

Personally I would recommend assigning the two groups different IPs, and then still yet using user-id in the security policies to actually grant them access to things. This ensures that you have multiple layers of security for any important aspect of your environment. 

Highlighted
L4 Transporter

Re: Global protect with loopback ip address and port number

Is there a guide how to configure it with groups?
Highlighted
L4 Transporter

Re: Global protect with loopback ip address and port number

we did it but it seems dont work correctly

Tags (1)
Highlighted
L4 Transporter

Re: Global protect with loopback ip address and port number

If your only purpose is to have different policy for the two user groups I would suggest you to use different approach insteead of playing with loopbacks, NATs, ports and etc.

 

How do you authenticate users: Is it LDAP, local, RADIUS?

 

The simple solution with local users would be:

1 Create users locally and add them in local user-groups
2 Create Auth profile and select type local, add the two user-groups to allow list
3 Configure global-protect portal as usual

4 configure global-protect gateway and under client setting configure two profiles, matching the loca user-groups. The tricky part here is that you need to use different pools for the two groups. But you can have the split-tunnel settings different for each group (ex. group A should access only to 10.0.0.0/24 while group B only to 172.16.0.0/24)
5 configure two security rules filtering on source user-group and put each group in separate rule.

 

You can choose to skip fourth step and configure one client setting profile for both groups, that way all users will receive same routes through the tunnel, but the policy will decide if the traffic should be indeed allowed or rejected.

 

AD authentiation over LDAP is pretty much similar, but you need additional steps to create group-mapping profile so the firewall can get the AD user group membership.

 

Highlighted
L4 Transporter

Re: Global protect with loopback ip address and port number

Hello

Alexander

 

Yes the authentication is via LDAP

Thanks we will try ones more

Highlighted
L4 Transporter

Re: Global protect with loopback ip address and port number

Ok we could resolve this solution

But one more point

When the worker connect to corporate network through GP at home with user-logon  option it is ok

But when that worker returns to workplace with the same corporate notebook it still remains in GP network

Is it possible to force the PA or GP agent to recognize the internal network when one plugged in the ethernet cable in workplace and dont connect through GP agen with user-logon option?

Highlighted
L7 Applicator

Re: Global protect with loopback ip address and port number

@Radmin_85,

Unless they properly disconnect from within the agent, the agent will attempt to reconnect to the portal once the laptop is turned on again. There is an option called 'Automatic Restoration of VPN Connection Timeout' that by default is enabled and set to 30 minutes,however I've never gotten this option to work correctly when working on a mac OS machine. Try setting this option to '0' to disable the resilient VPN behavior and see if that helps things, it should. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!