Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GP gateways under the same ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP gateways under the same ISP

L3 Networker

Hello ,

 

I have setup for the company portal and gateway with a specific IP pool and there is one pulbic IP on the ISP. Now they want partners to connect as well and I was wondering if is possible to have either on the same gateway another VPN IP pool and setting like DNS or I can make another gateway under the same IP with another port.

1 accepted solution

Accepted Solutions

Then you can only create agent settings regarding ip-pools and routing.

If a different DNS server is mandatory for you, you need to create a second external gateway and assign it to the vpn-users group in portal. You can use a loopback IP for second external Gateway and create a NAT-Policy (if untrust > untrust custom-port.... than DNAT to Loopback-IP:443)

Best Regards
Chacko

View solution in original post

5 REPLIES 5

L4 Transporter

@GeorgiosFakis: Both is possible, but I think the first one is more elegant.

So you create a second network config for the second vpn-users group and assign them a own network config (External GW > Agent > Client Settings).

 

Using different DNS servers per client settings is supported from PAN-OS 9.0 on. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/globalprotect-features/dns-configur...

Best Regards
Chacko

But what if I have PAN-OS version 8.1 ? 

 

 

Then you can only create agent settings regarding ip-pools and routing.

If a different DNS server is mandatory for you, you need to create a second external gateway and assign it to the vpn-users group in portal. You can use a loopback IP for second external Gateway and create a NAT-Policy (if untrust > untrust custom-port.... than DNAT to Loopback-IP:443)

Best Regards
Chacko

I was thinking about that different port that could work  , thanks .

Right, you can define a custom-port like 666 which you then DNAT to the correct external-gw2.

Two external gateways on the same public IP are not possible, because the Palo couldn't make the difference which gw to use. There you have to use a dummy-IP/Loopback or a second public-ip

Best Regards
Chacko
  • 1 accepted solution
  • 5581 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!