DHCP address assignment for Global Protect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

DHCP address assignment for Global Protect VPN

L1 Bithead

All,

 

I am working on a PA-220 LAB, in preparation for a PA 820 rollout. I have setup and configured my Global protect VPN. When it comes to DHCP, I know I can't use my DHCP servers but have to rely on DHCP from the firewall. That is OK. My question is this:

 

For my VPN users, If I create a DHCP scope in Network>GatewayS>MyGateway>Agent>Client Settings>Configs>IP Pools>IP Pool, and the DHCP addresses are not sub set of an existing Ethernet Interface\sub-interface, will I have to create a layer 3 sub interface so the VPN traffic is routed correctly? IE; all Interfaces\sub interfaces are 10.0.x.x and I want VPN addresses to be 192.168.x.x. Will I need to create a layer 3 interface for the 192.168.x.x so traffic flows correctly?

I am sure this is simple but I want to make sure I do it correctly in the building\testing stage 

2 accepted solutions

Accepted Solutions

L4 Transporter

Hi @RussMc 

Yes you will need a L3 interface and a zone if you want to land the tunnel in a isolated zone.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

View solution in original post

You will need to add a security policy allowing traffic from the GP tunnel zone to your lan interface zone.

 

View solution in original post

12 REPLIES 12

L4 Transporter

Hi @RussMc 

Yes you will need a L3 interface and a zone if you want to land the tunnel in a isolated zone.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

Thank you. I will add it and test this weekend.

Ok, I added the L3 interface and added the VLAN to my switches and committed all changes. I can connect to VPN by computer but not by an app on my iPhone (I do have the correct licensing for the GP app). The error I get is " The network connection is unreachable or the gateway is unresponsive.

 

Also, when I have a laptop successfully connected to the VPN, I can't seem to get to any VLAN's on my network. I do have the VLAN's identified in the split tunnel. I tried adding the VLA's individually as well as specifying 0.0.0.0/0 to no avail.

 

Any thoughts or suggestions?

You will need to add a security policy allowing traffic from the GP tunnel zone to your lan interface zone.

 

L4 Transporter

Absolutely as @Mick_Ball says, you need to treat the Global protect environment as you would any other so

 

  1. Tunnel interface that lands either in your inside network or a DMZ or wherever you want
  2. Zone for the Tunnel interface 
  3. Rules allowing your users to access the resources they need using Zones and policies 
  4. NAT rules if you want to go out to the internet through the Firewall (as opposed to breakout locally)

Using the 0.0.0.0/0 route will tunnel everything back to the Gateway so you may want to just use the subnets that you require.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

For testing purposes, I have the tunnel added to my untrusted (Internet) zone and set on my gateway configuration. In the past, this has worked just fine with all applicable VLAN's added to the split tunnel.

Are the vlans you mentioned external or internal

All internal.

OK, I have the VPN client working now on the client PC's & MAC's. I forwent adding the tunnel to my untrusted (Internet) zone and went with Mick's suggestion. I created a new zone, configured the tunnel, and added a security policy and access to the VLAN's works just fine. The only issue I have is our iPhones will not connect to the VPN. I still get the following error:

 

Gateway <My Gateway>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.

Could this be caused by the self signed certificate I am using for testing (I will have a real, valid cert in production)? If this is the case, I guess I am looking for validation since I ran out of time until this weekend to do more testing. I found this article:

 

https://medium.com/collaborne-engineering/self-signed-certificates-in-ios-apps-ff489bf8b96e

 

 Thoughts on if will resolve the issue?

 

Do you have the required gateway subscription for mobile devices?

 

ios works differently from windoze with cert stuff... i only have trusted certs so cannot test but when i use ip address for portal i get ...

the network is unreachable or the portal is unresponsive....

 

not sure why you get the gateway error....

anyhows... try the fix yo have as you will need to trust your ssigned cert...

 

laters...

 

I have the required licensing for mobile devices.

From Safari, Chrome, and Firefox, from an iPhone, I can hit the VPN gateway (by IP) and login just fine. Once I do, I see the links to download the appropriate client, though you can't on an idevice... This means all but the App is working fine.

I have the cert loaded and trusted in my device and will test this weekend and report back on Monday. Thank you for all the help and advice.

L1 Bithead

The testing over the weekend was successful. Creating a L3 interface for the VPN traffic, then creating a zone\rules for the traffic to flow and then, installing the cert and trusting it on the iDevice worked perfectly. I was then able to navigate where my rules permitted. I will be obtaining a true, trusted cert for the production rollout. Thanks and Kudos to @Mick_Ball & @laurence64 for all the help.

  • 2 accepted solutions
  • 11938 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!