Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

L1 Bithead

 

I have a target system that I need to access via WebUI. The system is reachable via its IP address 192.168.255.129 with a /24 (255.255.255.0) subnet. Furthermore the system expects a client IP address of 192.168.255.130, any other IP address will be rejected. The target system is a "proprietary blackbox", which means these settings cannot be changed.

 

Any locally connected client can reach the target system via the above mentioned IP settings.

 

 

My objective is to reach this system now via a GlobalProtect VPN connection, so I set the DHCP IP pool of the gateway configuration to the target systems network (192.168.255.0/24) .

 

 

Bild (3).png

I wasn't able reach the target system, yet.

I'm facing different issues, here:

 

  • I set the IP pool to 192.168.255.0/24 for the needed 255.255.255.0 subnet mask. However, if I look into the network settings, I have a subnet of 255.255.255.255 configured for the virtual adapter. Shouldn't this be the expected 255.255.255.0 subnet?

Bild (2).png

 

  •  How can I force my client to use the 192.168.255.130 address? I couldn't come up with an idea, yet. If I set the DHCP range to 192.168.255.130-192.168.255.131 for instance as I need the /24 subnet which is not possible to configure when defining a range like this.

 

Thanks a lot in advance for your help

4 REPLIES 4

Community Team Member

Hi @SaArlt ,

 

With the option "Retrieve Framed-IP-Address attribute from authentication server" you can assign a fixed IP address to GP users with AD (LDAP) Authentication.

 

Check if the following article can help you:

How to Assign a Fixed IP address to GlobalProtect Users with Active Directory (LDAP) Authentication ... 

 

Hope this helps,

Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Hi @kiwi ,

thanks a lot for your answer. I'm not using an AD but local users I configured in the local user database in this setup, so I'm afraid that "Retrieve Framed-IP-Address attribute from authentication server" might not help fixing my issue.

 

Meanwhile I found this method to be able to receive a static IP address with my client pc which seems to work:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIMCA0

 

My ethernet configuration still shows me I have a subnet mask of 255.255.255.255 configured and I still cannot reach the target machine. From my understanding a matching subnet mask of both communicating machines is obligatory so they're able to find themselves via ARP broadcasting.

Screenshot 2024-03-14 163711.png

So how's it possible to configure a matching subnet mask of 255.255.255.0?

 

Thanks a lot.

 

Best,

Sascha

L1 Bithead

Any ideas here?

Any help would be highly appreciated.

 

Thanks a lot.

 

Kind Regards,

Sascha 

Cyber Elite
Cyber Elite

this is a remote user VPN connection, you will not get a /24 subnetmask as you're behind a VPN tunnel and this is your local IP (assigning a /24 would make that a locally connected network)

Furthermore you shouldn't share the same subnet on a physical interface and the GP pool as that will inevitably introduce routing issues (these are 2 different 'networks')

 

that said, if the proprietary blackbox needs to be reached from a system in it's own subnet, I propose you set up NAT that masks GP users behind the dataplane interface IP of the interface connecting to the black box

 

e.g

GP IP pool 10.0.0.0/24

dataplane interface 192.168.255.130/24

NAT rule from 10.0.0.0/24 to 192.168.255.129 source NAT 192.168.255.130

 

that should fiox your issue

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2442 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!