- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-12-2019 01:29 PM
Hi All
I've been tasked with getting GP working and as I'm not as skilled as many of you, I thought I'd ask the brains trust if this is possible.
We have a PA-3020 which sits behind a Cisco ASA. The ASA is the edge firewall and is a yes/no gateway, the PA then filters the requests based on port and destination.
This config isnt changing in the short term, although I have from a reddit discussion started the ball rolling on replacing the ASA, so I am trying to understand how the config would work to let the traffic flow through the ASA to the PA to terminate the VPN.
I'm no expert on either technology, but opinions and thoughts would be greatly appreciated
02-14-2019 07:39 PM
Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device.
02-12-2019 06:38 PM
So to understand things a bit more is your NAT process taking place on the ASA or does your Palo Alto firewall have a Public IP and a No-NAT rule configured on the ASA?
02-12-2019 06:45 PM
Apologies, I should have mentioned that. NAT is all taking place on the ASA at the moment.
02-12-2019 06:49 PM
The the last remaining question really is if you have everything behind a sole public IP or if you have one that you could assign solely to the GlobalProtect configuration.
02-12-2019 07:07 PM
I believe we have a separate one just for GlobalProtect, but if not and it would make this easier, then I will request the business gets one
02-12-2019 08:17 PM
This should be relatively easy then. Assign the public IP to a new interface on your Palo Alto firewall and configure GlobalProtect as you would normally. Then on the ASA simply allow the traffic and make sure that a NO-NAT statement is applied for that public address to ensure that the ASA doesn't attempt to NAT the traffic.
02-12-2019 09:14 PM
Thats what I was thinking but didnt think it would be that simple, or that it would necessarily work that way. I didnt want to put my thoughts out there as sometimes it can send the conversation in a different direction.
I'll get onto the ruleset for it tomorrow starting with the Palo Alto. Thank you for the input, I appreciate it
02-14-2019 04:54 PM
Sorry one more thing I've just learnt that is throwing a spanner in the works. The Palo is in Vwire mode. i understand I must have a Layer 3 IP'd interface for GlobalProtect, I'm just wondering what can of worms I'm getting in to and whether it would be easier to replace the ASA with a new PaloAlto just for Edge traversal and GlobalProtect and leave the existing PaloAlto in vwire mode?
02-14-2019 07:39 PM
Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device.
02-17-2019 03:39 PM
Thanks for all your responses. I appreciate it. Let the learning curve begin 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!