Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-26-2018 07:13 AM
We have a 3050 with one VSYS and is connected to an ISP with one IP address as we also use this VSYS for user VPN (Global Protect). All is working fine but we will be adding another VSYS to segregate another department’s Internet traffic. I would like both VSYS to share the same Internet and IP but I’m concerned if I read correctly about our existing Global Protect VPN configuration and the Shared Gateway being a problem.
I appreciate any help or insight.
Jeff
01-30-2018 10:05 AM
Jeff,
You are correct that there can only be one VPN Profile/Gateway per IP (I believe it is just the gateway side).
I am not an expert at making VSYS interact with eachother properly but from what you are describing (and having a 3050) it may make more sense to put the GP on its own VSYS and setup multiple profiles within both the GP Profile & Gateway to force different departments to different traffic (we use Group Policy for allowing VPN access). The bottom line with GP is that you allow access to connect but it is the security rules that allow access to different components so using the same VPN but different AD groups with security rules and GP Profile/Gateway rules will allow you to limit both what IPs are displayed and what they are allowed to access.
Brian
01-30-2018 09:47 AM
Bumping for any help.
Thank you.
Jeff
01-30-2018 10:05 AM
Jeff,
You are correct that there can only be one VPN Profile/Gateway per IP (I believe it is just the gateway side).
I am not an expert at making VSYS interact with eachother properly but from what you are describing (and having a 3050) it may make more sense to put the GP on its own VSYS and setup multiple profiles within both the GP Profile & Gateway to force different departments to different traffic (we use Group Policy for allowing VPN access). The bottom line with GP is that you allow access to connect but it is the security rules that allow access to different components so using the same VPN but different AD groups with security rules and GP Profile/Gateway rules will allow you to limit both what IPs are displayed and what they are allowed to access.
Brian
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
