I run a pair of PA 2050's on my internet edge, and currently use them for terminating an SSL VPN for staff to remote access internal resources.
I want to put in a second SSL VPN, different IP range, different security zone, much more restricted for contractors/external support staff so I can let them logon and access specific services without giving carte blanche access to the rest of the network.
I tried building another SSL VPN and setting it up on the same external IP (our outside interface), but the OS wouldn't allow me to do so.
Is this possible? Or is there some workaround? Can I use an IP address on another interface (a DMZ) to terminate the second SSl VPN and just have the external staff login to that instead of the main one?
Yes, this is possible. You can configure multiple SSL VPN Portals on the device but they need to be bound to different IP addresses. One Portal would be for your corporate users and one would be for your external contractors.
You can use any L3 interface or sub-interface, including loopbacks and VLAN Interfaces, to bind the SSL VPN Portals.
OK, so I've got an available IP address on a DMZ interface which is "inside" the normal external address - what security policy would I need to put in place to allow a VPN to terminate on this address? Being that this interface is in the "DMZ" zone?
Or would an interface management profile allowing http/https be sufficient to allow this to work?
If the IP address in the DMZ is a publicly routable address, then this should be pretty straightforward. You would have a policy from Untrust to DMZ zones allowing any IP to the SSL VPN IP. You would allow SSL, IKE, and IPSEC-ESP-UDP to the IP.
If the IP address is private then you will need a NAT policy in addition to the above Security policy. The NAT policy will be an out-bound source-nat from the SSL VPN IP out to the internet (DMZ to Untrust zone). Make sure the check the "bi-directional" checkbox on the source-nat translation window and you should be set. Put this rule at the top of the NAT policy in case there are other out-bound NAT rules that might take precedence.
Of course you will then need your DMZ to Trust security policies to allow the contractors limited access to the internal resources once the tunnel is established.
The DMZ is a public routable IP address, so it should be dead easy.
I just wasn't sure what I'd need to let in from outside to the destination IP address - now I do.
Thanks for your help, and I can go away and set it up now.
I think my brain was out to lunch - no need for IKE with SSL VPN. :smileyhappy:
After some digging, here are the correct Apps and Ports to allow for SSL VPN:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!