This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Use Anyconnect to connect to Palo Alto gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use Anyconnect to connect to Palo Alto gateway

BigPalo
L4 Transporter

‎11-06-2020 02:40 AM

Hi,

 

We would like to know if its possible to configure Palo Alto GP gateway in order to permit connect using Cisco anyconnect client?

what it would be the config to do that?

0 Likes Likes
1 REPLY 1

S.Cantwell
Cyber Elite
Cyber Elite

‎11-06-2020 05:49 AM

Yes it is possible to do this.

Do you have a Global Protect gateway license installed on FW?

 

I have found this may help (not completely fix any issues)

There is documentation on PANW website on how to get to the gateway config.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/confi...

 

Take note at task 4 ( If you Enable X-Auth Support).  You will see that it asks for a Group Name and a password, just like the Cisco AnyConnect needs a Group name and password.

 

Now, my personal experience is this... I can get the AnyConnect to  create the tunnel to the FW, so it know it works.

BUT!!!! The AnyConnect software (and NOT the PANW) puts the default gateway of the AnyConnect to the next virtual IP (from your webpool).  Example.  You config a virtual/web pool address of.. 10.99.99.0/24), so that any user (GP or AnyConnect) will get from the pool.

 

A GP user creates his tunnel, and gets IP 10.99.99.4/24 (just some random IP)  The GP software does NOT need/have a default gateway to route traffic across the PANW tunnel.,

 

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 02-50-41-00-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.99.99.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

 

But!!!! 

 

The AnyConnect would get 10.99.99.5 (for example) and the default gateway would be the next IP.

IPv4 Address. . . . . . . . . . . : 10.99.99.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.99.99.6

 

But if 10.99.99.6 has not been assigned yet... then the tunnel (which is established correctly, according to the standards) will still not function because (for whatever reason... AnyConnect pulls 2 IPs)

 

So, until you contact Cisco and understand how/why their client does this... I fear that your traffic will not pass correctly. 

 

Again, I have tested this in the past, but I am not a Cisco focused person, so who knows why this happens, but it's not a PANW issue to resolve (IMHO)

 

Thanks

Please help out other users and “Accept as Solution” if a post helps solve your problem !
  • 8748 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks