We currently have a primary direct internet from the ISP to the Palo Alto PA-200 configured with LSVPN .
As we plan to have a secondary Internet, we want to connect the Palo Alto PA-200 with 4G Router using LSVPN as well.
The problem is the public IP address is assigned to the 4G router and we'll connect it via LAN With PA-200 as the diagram illustrates below
How can Configure the PA-200 to implement the LSVPN as a client
Does the 4G router have the ability to just pass all traffic without performing any other tasks or to be a transparent device so the PAN could have the public IP? Meaning the PA-200 should be able to make the request to the core of the LSVPN and make the connection. Is this not working as designed?
Why is it a problem if the public IP is on the 4G router? Btw. are you sure your 4G modem has a public IP? The way I used these modems so far, they always got a private IP ln the external interface and on provider side ther is carrier grade NAT for connections towards the internet.
Anyway, for GP LSVPN you don't need a public IP on your spoke firewall. Only the hub will need a public IP to receive the connections.
Which configuration should I do to make the router works transparent in order to carry the public IP address to the firewall? If I configure the DMZ IP on the router by assigning the IP address of the interface of the firewall PA200 will make it transparent?
Which configuration should I put on the firewall (spoke)
Back in the day when i was doing this, there was a setting in the 4g router that allowed it to be transparent and it would pass the public IP to the attached device/firewall. While I dont know what or if there is that in the device you are using, you might want to reach out to the vendor and check. However like @vsys_remo pointed out. it might not be required.
Thank you for your answer, Well i'm using Huawei AR160 series .
The Hub administrators are requesting the public ip and its Gatway but the 4G providers has just offered One Public IP /32 With NAT .
You just need to NAT inbound ports from the 4G router to the Palo IP. Or simpler if you just set a DMZ host on the 4G router to send all traffic to the PA.
The ISP however will need to map a public address and inbound ports as the carriers usually only allocate you a private address. I've just bought a international SIM card that does this. They basically assign me a static public address their end, and it NATs through their cell provider VPN to the private IP on my router. I need to arrange with them what ports they pass inbound (which is good as it filters out port scans etc but bad as if I want to add a new service I have to ask them)
Ports for LSVPN are tcp/443 and udp/4501
That router then NAT's all inbound to the ip on the palo alto. The palo alto is configured with a private address but it doesnt matter as long as your public IP is used for LSVPN inbound.
If this is a remote office then you don't need any of the inbound NAT's setup as its a one way connection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!