GlobalProtect when Palo behind ASA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect when Palo behind ASA

L1 Bithead

Hi All

 

I've been tasked with getting GP working and as I'm not as skilled as many of you, I thought I'd ask the brains trust if this is possible.

We have a PA-3020 which sits behind a Cisco ASA. The ASA is the edge firewall and is a yes/no gateway, the PA then filters the requests based on port and destination.

This config isnt changing in the short term, although I have from a reddit discussion started the ball rolling on replacing the ASA, so I am trying to understand how the config would work to let the traffic flow through the ASA to the PA to terminate the VPN.

 

I'm no expert on either technology, but opinions and thoughts would be greatly appreciated

1 accepted solution

Accepted Solutions

@Hayden-Searle,

Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device. 

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

@Hayden-Searle,

So to understand things a bit more is your NAT process taking place on the ASA or does your Palo Alto firewall have a Public IP and a No-NAT rule configured on the ASA?

Apologies, I should have mentioned that. NAT is all taking place on the ASA at the moment. 

@Hayden-Searle,

The the last remaining question really is if you have everything behind a sole public IP or if you have one that you could assign solely to the GlobalProtect configuration. 

I believe we have a separate one just for GlobalProtect, but if not and it would make this easier, then I will request the business gets one

@Hayden-Searle,

This should be relatively easy then. Assign the public IP to a new interface on your Palo Alto firewall and configure GlobalProtect as you would normally. Then on the ASA simply allow the traffic and make sure that a NO-NAT statement is applied for that public address to ensure that the ASA doesn't attempt to NAT the traffic. 

Thats what I was thinking but didnt think it would be that simple, or that it would necessarily work that way. I didnt want to put my thoughts out there as sometimes it can send the conversation in a different direction.

I'll get onto the ruleset for it tomorrow starting with the Palo Alto. Thank you for the input, I appreciate it

Sorry one more thing I've just learnt that is throwing a spanner in the works. The Palo is in Vwire mode. i understand I must have a Layer 3 IP'd interface for GlobalProtect, I'm just wondering what can of worms I'm getting in to and whether it would be easier to replace the ASA with a new PaloAlto just for Edge traversal and GlobalProtect and leave the existing PaloAlto in vwire mode?

@Hayden-Searle,

Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device. 

Thanks for all your responses. I appreciate it. Let the learning curve begin 🙂

  • 1 accepted solution
  • 3960 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!