This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect with NATet interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect with NATet interface

Go to solution
tormodhope
L1 Bithead

‎02-05-2014 11:36 AM

I have a PA200, and is using eth1 for outside (internet) and eth2 for inside. I'm NATing from eth2 to eth1, as normal.

Now i want to have the management https address on the eth1 for several reasons.

At home its just for testing, but at my office i have PA200 between subnets that is duplicate, and not nessesary to route to.

When i use a management profile with access to ping and https on eth1, it wont't work.

I suspect the NAT rule has something to do with it. Cause when i set it up in my lab with no NAT, it works.

Any tips for me please?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Phoenix
L4 Transporter

‎02-07-2014 12:25 PM

tormodhope

May be you are experiencing the land attack. When we access the external interface from outside the source will be external host public IP and destination will be your external interface IP. When the return traffic is sent out ( server to client s2c ) it exchanges the source and destination and gets stuck seeing the source and destination the same considers a land attack and drops.

If you do

"show counter global filter delta yes | match land"

If the counters are seen then that would prove it. We will have to change the nat slightly and it should start to work.

Details are mentioned in the below doc:

Unable to Connect to or Ping a Firewall Interface

Hope this helps !

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
tormodhope
L1 Bithead

‎02-05-2014 11:56 AM

I got it working with a DNAT against the outside ip address. But is this needed?

Is there another way doing it? The IP is public and facing internet, i though a management profile would open anyway.

0 Likes Likes

Go to solution
JimS2
L3 Networker
In response to tormodhope

‎02-07-2014 11:53 AM

This is working as expected.  If you are NATing 443 from the outside to an inside server you loose access to the management page.  You can set up a loopback and NAT another port to 443 on the loopback with an management profile that allows HTTPS.

0 Likes Likes

Go to solution
Phoenix
L4 Transporter

‎02-07-2014 12:25 PM

tormodhope

May be you are experiencing the land attack. When we access the external interface from outside the source will be external host public IP and destination will be your external interface IP. When the return traffic is sent out ( server to client s2c ) it exchanges the source and destination and gets stuck seeing the source and destination the same considers a land attack and drops.

If you do

"show counter global filter delta yes | match land"

If the counters are seen then that would prove it. We will have to change the nat slightly and it should start to work.

Details are mentioned in the below doc:

Unable to Connect to or Ping a Firewall Interface

Hope this helps !

0 Likes Likes

Go to solution
panos
L6 Presenter

‎02-07-2014 02:43 PM

How to Access the WebUI when GlobalProtect Is Enabled

Your subject is about GP so just to remind you.

0 Likes Likes

Go to solution
tormodhope
L1 Bithead
In response to JimS2

‎02-10-2014 12:33 AM

I dont NAT anything from untrust to trust, i only have a overload nat from trust to untrust.

But it seams that it blocks everything, including ping, and https (thats why the GP wont connect).

0 Likes Likes

Go to solution
tormodhope
L1 Bithead
In response to panos

‎02-10-2014 12:43 AM

Thanks! I'll try that later today.

I got ping working if i add a roule thats like this:

Screen Shot 02-10-14 at 09.40 AM.PNG.png

0.0.0.0/0 is just there to mas my origin public ip. The other rule is gone, as this is a test box at work.

0 Likes Likes

Go to solution
panos
L6 Presenter
In response to tormodhope

‎02-10-2014 01:08 AM

This rule is not a need but your other NAT rules are important.you have any other NAT rule with source zone any ?

or just 1 NAT rule from trust to untrust ?

Go to solution
tormodhope
L1 Bithead
In response to panos

‎02-10-2014 01:16 AM

Since im not home now, i cant confirm, but yes, i might have to rule setup with source any, and not pined down to my trust zones.

This is bad practice, i know. But is that the problem? I'll doublecheck when i get home.

The rule might be like this one, with source any.

Screen Shot 02-10-14 at 10.12 AM.PNG.png

0 Likes Likes

Go to solution
panos
L6 Presenter
In response to tormodhope

‎02-10-2014 01:19 AM

Yes it will be a problem as Phoenix said.

Try to change it with Trust and then test again.

  • 1 accepted solution
  • 4578 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks