05-17-2012 05:55 AM
We use basic global protect functionality (no global protect licenses) to connect with SSL VPN. One of user (businnes owner) must have always the same IP address when he connect via SSL VPN. How can I resolve this? In global protect configuration isn't possible to reserve IP addresses for MAC address (like in DHCP server).
05-17-2012 09:37 AM
MAC addres reservations for DHCP work because the firewall gets teh DHCP request and can evaluate the MAC address. For such a feature to work for VPN users, the VPN client would have to sent it's MAC address as part of the authentication process. From the firewall's point of view, every VPN connection comes from the router's MAC address since they all come from outside.
I'm not aware of such a capability but perhaps someone else has a solution for this.
06-27-2012 03:27 AM
Hi,
One of my client has a similar requirement to reserve IP Address while connecting to Global protect SSL VPN.
Is it possible to achieve this?
Thanks.
06-28-2012 09:37 AM
A form of this functionality can be obtained by configuring a user specific client configuration on your portal that points to a second external gateway. The second gateway would be configured to only distribute one IP address.
This capability exists for the more common use case of defining specific user groups that might get different configurations and networks settings, so it doesn't really scale to doing this for dozens of individual IPs, but for a one-off it should work fine.
07-10-2012 06:30 AM
Hi drogers.
When I try to configure "Cliente Configuration" into Globalprotect Gateway with only one IP address, I obtain this message: "SSLVPN: Invalid IP pool value: X.X.X.X. Subnet is smaller than minimum allowed value 30." Is it not possible to configure only one IP in a pool? What is the reason for it?
Thank you very much.
08-21-2012 01:55 AM
I get the same problem for a customer of mine...
I get the same error when i try to allow a specific address in the IP Pool : "SSLVPN: Invalid IP pool value: X.X.X.X. Subnet is smaller than minimum allowed value 30."
Is there an issue or a patch for this problem ?
Thanks
10-04-2012 11:02 AM
Anyone ever get this working? Based on the responses I've got this still isn't possible and even having multiple gateways won't fix it.
10-04-2012 09:20 PM
Hi,
This is an expected error, the minimum subnet to create a gateway pool is /30. What you can try is to configure a pool in a different gateway just for that specific user. He will get the same IP address i.e. the 1st IP address from that pool every time he disconnects and connect back as there would be no other users who would be using that defined pool. This is just a workaround, what I would also suggest if you can do a feature request so that a user can be assigned a specific IP address based on HIP match, etc.
Thanks,
Khubaib Alavi
10-05-2012 12:27 AM
You can also operate NAT Source Translation on the pool. It was advised by a Palo Alto engineer to do it like that because it's not possible to allocate only one IP Address (what a simple PIX do 😞 )
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
