This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
GlobalProtect with NATet interface
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- GlobalProtect with NATet interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-05-2014 11:36 AM
I have a PA200, and is using eth1 for outside (internet) and eth2 for inside. I'm NATing from eth2 to eth1, as normal.
Now i want to have the management https address on the eth1 for several reasons.
At home its just for testing, but at my office i have PA200 between subnets that is duplicate, and not nessesary to route to.
When i use a management profile with access to ping and https on eth1, it wont't work.
I suspect the NAT rule has something to do with it. Cause when i set it up in my lab with no NAT, it works.
Any tips for me please?
9 REPLIES 9
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-10-2014 12:33 AM
I dont NAT anything from untrust to trust, i only have a overload nat from trust to untrust.
But it seams that it blocks everything, including ping, and https (thats why the GP wont connect).
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-10-2014 12:43 AM
Thanks! I'll try that later today.
I got ping working if i add a roule thats like this:
0.0.0.0/0 is just there to mas my origin public ip. The other rule is gone, as this is a test box at work.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-10-2014 01:08 AM
This rule is not a need but your other NAT rules are important.you have any other NAT rule with source zone any ?
or just 1 NAT rule from trust to untrust ?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-10-2014 01:16 AM
Since im not home now, i cant confirm, but yes, i might have to rule setup with source any, and not pined down to my trust zones.
This is bad practice, i know. But is that the problem? I'll doublecheck when i get home.
The rule might be like this one, with source any.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-10-2014 01:19 AM
Yes it will be a problem as Phoenix said.
Try to change it with Trust and then test again.
Related Content
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
- Gateway certificate error when switching to SAML authentication in GlobalProtect Discussions
- GP Issue while Migrating from PA-3020 to PA-460 in General Topics
- GlobalProtect: Using an alternative port in GlobalProtect Discussions
- Connect to Globalprotect from Guest Zone in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks