GlobalProtect when Palo behind ASA

Reply
Highlighted
L1 Bithead

GlobalProtect when Palo behind ASA

Hi All

 

I've been tasked with getting GP working and as I'm not as skilled as many of you, I thought I'd ask the brains trust if this is possible.

We have a PA-3020 which sits behind a Cisco ASA. The ASA is the edge firewall and is a yes/no gateway, the PA then filters the requests based on port and destination.

This config isnt changing in the short term, although I have from a reddit discussion started the ball rolling on replacing the ASA, so I am trying to understand how the config would work to let the traffic flow through the ASA to the PA to terminate the VPN.

 

I'm no expert on either technology, but opinions and thoughts would be greatly appreciated


Accepted Solutions
Highlighted
Cyber Elite

@Hayden-Searle,

Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@Hayden-Searle,

So to understand things a bit more is your NAT process taking place on the ASA or does your Palo Alto firewall have a Public IP and a No-NAT rule configured on the ASA?

Highlighted
L1 Bithead

Apologies, I should have mentioned that. NAT is all taking place on the ASA at the moment. 

Highlighted
Cyber Elite

@Hayden-Searle,

The the last remaining question really is if you have everything behind a sole public IP or if you have one that you could assign solely to the GlobalProtect configuration. 

Highlighted
L1 Bithead

I believe we have a separate one just for GlobalProtect, but if not and it would make this easier, then I will request the business gets one

Highlighted
Cyber Elite

@Hayden-Searle,

This should be relatively easy then. Assign the public IP to a new interface on your Palo Alto firewall and configure GlobalProtect as you would normally. Then on the ASA simply allow the traffic and make sure that a NO-NAT statement is applied for that public address to ensure that the ASA doesn't attempt to NAT the traffic. 

Highlighted
L1 Bithead

Thats what I was thinking but didnt think it would be that simple, or that it would necessarily work that way. I didnt want to put my thoughts out there as sometimes it can send the conversation in a different direction.

I'll get onto the ruleset for it tomorrow starting with the Palo Alto. Thank you for the input, I appreciate it

Highlighted
L1 Bithead

Sorry one more thing I've just learnt that is throwing a spanner in the works. The Palo is in Vwire mode. i understand I must have a Layer 3 IP'd interface for GlobalProtect, I'm just wondering what can of worms I'm getting in to and whether it would be easier to replace the ASA with a new PaloAlto just for Edge traversal and GlobalProtect and leave the existing PaloAlto in vwire mode?

Highlighted
Cyber Elite

@Hayden-Searle,

Honestly, with this type of configuration, it would be far easier to simply replace the ASA with a Palo Alto and collapse the two devices so that the Palo Alto firewall effectively becomes your external device. 

View solution in original post

Highlighted
L1 Bithead

Thanks for all your responses. I appreciate it. Let the learning curve begin :)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!