What about configuring SSL-VPN, HTTPS Management and a destination NAT on 443 port on the same "single" public IP address?
I think this is not possible at the moment.
I think there should be an option to change port number for SSL-VPN and HTTPS management ports. So I can leave port 443 for destination NAT.
First of all, I am running PAN 3.1.3 on PA-2050
Here is my test procedure:
Test 1. configure only SSL-VPN on untrust ethernet1 (IP:10.0.0.77, no 443 dest nat, no https management on this interface)
type on brower https://mypan, SSL-VPN page will be opened. this is OK.
Test 2. Configure Destination NAT on 443, keep SSL-VPN
rule2 L3-Untrust L3-Untrust any any l3-untrustIP-10.0.0.77 service-https none dmzwebserver-192.168.100.100 : 8443
Result: I can access to dmzwebserver HTTPS server running on 8443 by typing https://10.0.0.77 in the browser.
But I can't access to SSL-VPN on 4443. This is not OK
Test 3. Disable SSP-VPN and enable HTTPS management on ethernet1, no change on dest NAT configuration.
I can access to webserver and PAN management interface. This is also OK.
Test 4: Enable SSL-VPN again (HTTPS management and dest NAT is already configured)
I can access to webserver and PAN management interface. but can't access to SSL-VPN
Test 5: Keep SSL-VPN and HTTPS management, disable dest NAT
I can access to SSL-VPN and HTTPS management.
As a result, If I enable dest NAT for port 443, I can't access to SSL-VPN.
As I stated in my previous post, If you can provide an option to change SSL-VPN port, this problem will be solved.
PS: It will be great, if you can provide an option to disable SSL-VPN. At the moment, I have to delete SSL VPN settings to disable
PS2: As far as I know, the following detail is not mentioned PAN documents. but it should be mentioned.
"Assuming you had management enabled prior to configuring SSLVPN, management will move from port 443 to port 4443 when SSLVPN is configured on the same interface. SSLVPN will use port 443. Try connecting to port 4443 in your browser.
I was thinking you could do a port translation dst NAT from the external interface to the internal mgt interface (or any other interface that has management enabled) and use any arbitrary port.
Then assign the SSL VPN portal to a loopback interface or any other L3 interface and then do a port translation dst NAT from the external interface to it. I don't believe you can change the SSL VPN port since the client will always try 443.
Then you can do a normal dst nat with some other port to an internal SSL server.
|Service||Outside Port||NAT to Inside|
|Management||44443||Mgt Interface on port 443|
|SSL VPN||443||Loopback Interface on port 443|
|Web Server||4443||Internal IP on port 443|
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!