- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-20-2010 06:26 AM
Hello,
How to setup SSLVPN portal and managment on same IP. Because now I don't have https managment on my firewall.
Regards
Piotr Bratkowski
01-20-2010 01:00 PM
Assuming you had management enabled prior to configuring SSLVPN, management will move from port 443 to port 4443 when SSLVPN is configured on the same interface. SSLVPN will use port 443. Try connecting to port 4443 in your browser.
e.g. https://externalIPaddress:4443
06-17-2010 12:30 PM
What if the SSLVPN was configured first?
I can't connect to 4443 now when SSLVPN and management is on the same port.
SSLVPN is working fine.
Regards
Jo Christian
06-17-2010 12:59 PM
As of 3.1.0 it is no longer possible to configure SSL VPN and management on the same port. You may want to configure a loopack with an external IP address for the SSL VPN.
06-17-2010 02:04 PM
We don't want the management on the same port, it is not possible to run management on port 4443?
Well loopback with external IP would have been an option if we got more public ip-address'es, but we only got one.
Regards
Jo Christian
06-17-2010 03:18 PM
This is a bug that is being fixed in 3.1.3. You should be able to have back the 4443 management port with that release.
Mike
06-17-2010 03:20 PM
I wonder if you could create a port-based NAT rule to forward traffic destined to an arbitrary port translated to the loopback ip/port for management?
Cheers,
Kelly
06-17-2010 11:53 PM
Great 🙂
We will wait for version 3.1.3 then.
Regards
Jo Christian
06-18-2010 01:22 AM
Hi,
Yes you can, what we have done is setting up a destination nat to the managment port. You can use any arbitrary port on the outside and nat it to port 443 of the managment IP.
Best regards,
Bart.
08-11-2010 12:39 PM
What about configuring SSL-VPN, HTTPS Management and a destination NAT on 443 port on the same "single" public IP address?
I think this is not possible at the moment.
I think there should be an option to change port number for SSL-VPN and HTTPS management ports. So I can leave port 443 for destination NAT.
Thanks
Ismail YENIGUL
08-11-2010 12:50 PM
Hi Ismail,
I don't see any reason why you could not do that, so long as you make sure to define unique listening ports for the NAT port translation for each service/server. This way you are essentially modifying the listening port for the service.
Cheers,
Kelly
08-11-2010 01:43 PM
First of all, I am running PAN 3.1.3 on PA-2050
Here is my test procedure:
Test 1. configure only SSL-VPN on untrust ethernet1 (IP:10.0.0.77, no 443 dest nat, no https management on this interface)
type on brower https://mypan, SSL-VPN page will be opened. this is OK.
Test 2. Configure Destination NAT on 443, keep SSL-VPN
rule2 L3-Untrust L3-Untrust any any l3-untrustIP-10.0.0.77 service-https none dmzwebserver-192.168.100.100 : 8443
Result: I can access to dmzwebserver HTTPS server running on 8443 by typing https://10.0.0.77 in the browser.
But I can't access to SSL-VPN on 4443. This is not OK
Test 3. Disable SSP-VPN and enable HTTPS management on ethernet1, no change on dest NAT configuration.
I can access to webserver and PAN management interface. This is also OK.
Test 4: Enable SSL-VPN again (HTTPS management and dest NAT is already configured)
I can access to webserver and PAN management interface. but can't access to SSL-VPN
Test 5: Keep SSL-VPN and HTTPS management, disable dest NAT
I can access to SSL-VPN and HTTPS management.
As a result, If I enable dest NAT for port 443, I can't access to SSL-VPN.
As I stated in my previous post, If you can provide an option to change SSL-VPN port, this problem will be solved.
Thanks.
Ismail YENIGUL
PS: It will be great, if you can provide an option to disable SSL-VPN. At the moment, I have to delete SSL VPN settings to disable
PS2: As far as I know, the following detail is not mentioned PAN documents. but it should be mentioned.
"Assuming you had management enabled prior to configuring SSLVPN, management will move from port 443 to port 4443 when SSLVPN is configured on the same interface. SSLVPN will use port 443. Try connecting to port 4443 in your browser.
e.g. https://externalIPaddress:4443"
08-11-2010 03:22 PM
Hi Ismail,
I was thinking you could do a port translation dst NAT from the external interface to the internal mgt interface (or any other interface that has management enabled) and use any arbitrary port.
Then assign the SSL VPN portal to a loopback interface or any other L3 interface and then do a port translation dst NAT from the external interface to it. I don't believe you can change the SSL VPN port since the client will always try 443.
Then you can do a normal dst nat with some other port to an internal SSL server.
Service | Outside Port | NAT to Inside |
---|---|---|
Management | 44443 | Mgt Interface on port 443 |
SSL VPN | 443 | Loopback Interface on port 443 |
Web Server | 4443 | Internal IP on port 443 |
Cheers,
Kelly
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!