- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-12-2024 09:34 AM
I have a target system that I need to access via WebUI. The system is reachable via its IP address 192.168.255.129 with a /24 (255.255.255.0) subnet. Furthermore the system expects a client IP address of 192.168.255.130, any other IP address will be rejected. The target system is a "proprietary blackbox", which means these settings cannot be changed.
Any locally connected client can reach the target system via the above mentioned IP settings.
My objective is to reach this system now via a GlobalProtect VPN connection, so I set the DHCP IP pool of the gateway configuration to the target systems network (192.168.255.0/24) .
I wasn't able reach the target system, yet.
I'm facing different issues, here:
Thanks a lot in advance for your help
03-13-2024 04:24 AM
Hi @SaArlt ,
With the option "Retrieve Framed-IP-Address attribute from authentication server" you can assign a fixed IP address to GP users with AD (LDAP) Authentication.
Check if the following article can help you:
Hope this helps,
Kim.
03-14-2024 08:38 AM
Hi @kiwi ,
thanks a lot for your answer. I'm not using an AD but local users I configured in the local user database in this setup, so I'm afraid that "Retrieve Framed-IP-Address attribute from authentication server" might not help fixing my issue.
Meanwhile I found this method to be able to receive a static IP address with my client pc which seems to work:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIMCA0
My ethernet configuration still shows me I have a subnet mask of 255.255.255.255 configured and I still cannot reach the target machine. From my understanding a matching subnet mask of both communicating machines is obligatory so they're able to find themselves via ARP broadcasting.
So how's it possible to configure a matching subnet mask of 255.255.255.0?
Thanks a lot.
Best,
Sascha
03-18-2024 07:06 AM - edited 03-18-2024 07:07 AM
this is a remote user VPN connection, you will not get a /24 subnetmask as you're behind a VPN tunnel and this is your local IP (assigning a /24 would make that a locally connected network)
Furthermore you shouldn't share the same subnet on a physical interface and the GP pool as that will inevitably introduce routing issues (these are 2 different 'networks')
that said, if the proprietary blackbox needs to be reached from a system in it's own subnet, I propose you set up NAT that masks GP users behind the dataplane interface IP of the interface connecting to the black box
e.g
GP IP pool 10.0.0.0/24
dataplane interface 192.168.255.130/24
NAT rule from 10.0.0.0/24 to 192.168.255.129 source NAT 192.168.255.130
that should fiox your issue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!