Use Anyconnect to connect to Palo Alto gateway

Reply
Highlighted
L4 Transporter

Use Anyconnect to connect to Palo Alto gateway

Hi,

 

We would like to know if its possible to configure Palo Alto GP gateway in order to permit connect using Cisco anyconnect client?

what it would be the config to do that?

Highlighted
Cyber Elite

Yes it is possible to do this.

Do you have a Global Protect gateway license installed on FW?

 

I have found this may help (not completely fix any issues)

There is documentation on PANW website on how to get to the gateway config.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/confi...

 

Take note at task 4 ( If you Enable X-Auth Support).  You will see that it asks for a Group Name and a password, just like the Cisco AnyConnect needs a Group name and password.

 

Now, my personal experience is this... I can get the AnyConnect to  create the tunnel to the FW, so it know it works.

BUT!!!! The AnyConnect software (and NOT the PANW) puts the default gateway of the AnyConnect to the next virtual IP (from your webpool).  Example.  You config a virtual/web pool address of.. 10.99.99.0/24), so that any user (GP or AnyConnect) will get from the pool.

 

A GP user creates his tunnel, and gets IP 10.99.99.4/24 (just some random IP)  The GP software does NOT need/have a default gateway to route traffic across the PANW tunnel.,

 

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 02-50-41-00-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.99.99.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

 

But!!!! 

 

The AnyConnect would get 10.99.99.5 (for example) and the default gateway would be the next IP.

IPv4 Address. . . . . . . . . . . : 10.99.99.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.99.99.6

 

But if 10.99.99.6 has not been assigned yet... then the tunnel (which is established correctly, according to the standards) will still not function because (for whatever reason... AnyConnect pulls 2 IPs)

 

So, until you contact Cisco and understand how/why their client does this... I fear that your traffic will not pass correctly. 

 

Again, I have tested this in the past, but I am not a Cisco focused person, so who knows why this happens, but it's not a PANW issue to resolve (IMHO)

 

Thanks

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!