GlobalProtect Gateway: can it share an IP used in NAT/Security Policies?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Gateway: can it share an IP used in NAT/Security Policies?

L4 Transporter

I have a working GlobalProtect setup right now using a single Portal on the district firewall, and a single Gateway on the firewall for the location I want to have access to.

 

Currently, these are using dedicated public IPs that are not used for anything else, assigned to the public interface of the two firewalls.

 

What I can't figure out from searching google, PA Discussions forum, and other resources is whether or not these need to be dedicated IPs used solely for the portal/gateway setup; or, if the IP can be shared with other services?

 

Eventually, I'd like to have a separate Gateway setup on each school firewall to allow admin staff to be able to access their files, servers, printers remotely. But, we don't have 50-odd public IPs that can be dedicated to this (each site only has 5 public IPs, used for all their public resources, with DNAT policies setup for forwarding specific ports through to various systems).

 

Can I just use one of the server IPs for the Gateway?  Or will that break things for the server and/or GlobalProtect?  Are there any Security Policy or NAT Policy changes needed to make that work?

1 ACCEPTED SOLUTION
9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @fjwcash

 

Why don't you simply use the IP of the external interface for the Global Protect Gateway?

Uhm ... uh ... er ... huh.  Because that never occurred to me?  😉  I'll have to play with that, to make sure it doesn't interfere with management connections (we use that IP for the web management IP from within the district).

 

Was testing a config with it set to "share" the IP of a server with existing NAT/Security Policies, and it tries to pass the GP SSL traffic through the NAT rule instead of terminating it on the firewall.  😞

or maybe i misunderstood the post....   sorry..

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!