I'm hoping that someone from PAN Support or Development can answer this question. I have been fighting with this for weeks now and have narrow the problem down to the GP Portal service.
I have a PA-200 in my lab with two Layer3 interfaces defined. The Internal L3 interface has a Static IP for the local network, while the other L3 interface gets it's IP Dynamically from the Comcast ISP. I configured my GlobalProtect Portal & External Gateway to use the L3 interface that is dynamically addressed. From the Public side, users can access the Portal and Gateway just fine. From the local network, users cannot access the Portal or Gateway, even though I have configured my Source-NAT to not NAT traffic sourced from the LAN destined for the Public IP address. Now, here's where it gets weird. I have other computers on my local network that have Public DNS names, so I've created U-Turn NATs to access these devices. Everything works great! I even took away the GP Portal & Gateway from the Public IP interface and tried NATting traffic for the Portal & Gateway to Loopback addresses. Same problem, even worst. Not even users from the Public side can connect to the Portal & Gateway while the Public IP is dynamically assigned. When I make the Public interface a Static IP address everything, including the GP Portal & Gateway NATted to the loopback works great.
There seems to be an issue with the GP Portal & Gateway service when trying to connect if the IPs are dynamically assigned on the interface they are bound to or being NATted from.
Can someone in PAN Support or Development please shed some light on this issue?
Just to clearify regarding your user from local network, that is not to reach users on the public network but rather setup a VPN (or whatever) towards the portal-ip just like the public users?
If its the later - what about if your local users connect to the internal L3 ip instead?
You should be able to deal with this by the help of the dns.
If the user is externally then your external authoritive dns-server will reply to "vpn.example.com" with the external ip. But when they are on the inside your internal authoritive dns-servers (or if you have the same hardware for both cases then use views in your dnsserver) will reply to "vpn.example.com" with the internal ip.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!