How to setup SSLVPN and MGMT on the same IP?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to setup SSLVPN and MGMT on the same IP?

L1 Bithead

Hello,

How to setup SSLVPN portal and managment on same IP. Because now I don't have https managment on my firewall.

Regards

Piotr Bratkowski

13 REPLIES 13

L5 Sessionator

Assuming you had management enabled prior to configuring SSLVPN, management will move from port 443 to port 4443 when SSLVPN is configured on the same interface.  SSLVPN will use port 443.  Try connecting to port 4443 in your browser.

e.g. https://externalIPaddress:4443

L1 Bithead

Thanks for anwer. It worked, but I've clicked wrong star:]

What if the SSLVPN was configured first?

I can't connect to 4443 now when SSLVPN and management is on the same port.

SSLVPN is working fine.

Regards

Jo Christian

/Jo Christian

As of 3.1.0 it is no longer possible to configure SSL VPN and management on the same port.  You may want to configure a loopack with an external IP address for the SSL VPN.

We don't want the management on the same port, it is not possible to run management on port 4443?

Well loopback with external IP would have been an option if we got more public ip-address'es, but we only got one.

Regards

Jo Christian

/Jo Christian

This is a bug that is being fixed in 3.1.3. You should be able to have back the 4443 management port with that release.

Mike

I wonder if you could create a port-based NAT rule to forward traffic destined to an arbitrary port translated to the loopback ip/port for management?

Cheers,

Kelly

Great 🙂

We will wait for version 3.1.3 then.

Regards

Jo Christian

/Jo Christian

Hi,

Yes you can, what we have done is setting up a destination nat to the managment port. You can use any arbitrary port on the outside and nat it to port 443 of the managment IP.

Best regards,

Bart.

L0 Member

What about  configuring SSL-VPN, HTTPS Management and a destination NAT on 443 port on the same "single" public IP address?

I think this is not possible at the moment.

I think there should be an option to change port number for SSL-VPN and HTTPS management ports.  So I can leave port 443 for destination NAT.

Thanks

Ismail YENIGUL

Hi Ismail,

I don't see any reason why you could not do that, so long as you make sure to define unique listening ports for the NAT port translation for each service/server.  This way you are essentially modifying the listening port for the service.

Cheers,

Kelly

First of all, I am running PAN 3.1.3 on PA-2050

Here is my test procedure:

Test 1. configure only SSL-VPN on untrust ethernet1 (IP:10.0.0.77, no 443 dest nat, no https management on this interface)

type on brower  https://mypan, SSL-VPN page will be opened. this is OK.

Test 2.  Configure Destination NAT on 443, keep SSL-VPN

     rule2      L3-Untrust L3-Untrust  any      any      l3-untrustIP-10.0.0.77  service-https      none      dmzwebserver-192.168.100.100 : 8443

Result: I can access to dmzwebserver HTTPS server running on 8443 by typing https://10.0.0.77  in the browser.

But I can't access to SSL-VPN on 4443. This is not OK

Test 3. Disable SSP-VPN and enable HTTPS management on ethernet1, no change on dest NAT configuration.

I can access to webserver and PAN management interface. This is also OK.

Test 4: Enable SSL-VPN again (HTTPS management and dest NAT is already configured)

I can access to webserver and PAN management interface.  but can't access to SSL-VPN

Test 5: Keep  SSL-VPN and HTTPS management, disable dest NAT


I can access to SSL-VPN and HTTPS management.

As a result, If I enable dest NAT for port 443, I can't access to SSL-VPN.

As I stated in my previous post, If you can provide an option to change SSL-VPN port, this problem will be solved.

Thanks.

Ismail YENIGUL

PS: It will be great, if you can provide an option to disable SSL-VPN. At the moment, I have to delete SSL VPN settings to disable

PS2: As far as I know, the following detail is not mentioned PAN documents. but it should be mentioned.

"Assuming  you had management enabled prior to configuring SSLVPN, management will  move from port 443 to port 4443 when SSLVPN is configured on the same  interface.  SSLVPN will use port 443.  Try connecting to port 4443 in your browser.

e.g. https://externalIPaddress:4443"

 

Hi Ismail,

I was thinking you could do a port translation dst NAT from the external interface to the internal mgt interface (or any other interface that has management enabled) and use any arbitrary port.

Then assign the SSL VPN portal to a loopback interface or any other L3 interface and then do a port translation dst NAT from the external interface to it.  I don't believe you can change the SSL VPN port since the client will always try 443.

Then you can do a normal dst nat with some other port to an internal SSL server.

ServiceOutside PortNAT to Inside
Management44443Mgt Interface on port 443
SSL VPN443Loopback Interface on port 443
Web Server4443Internal IP on port 443

Cheers,

Kelly

  • 6500 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!