10-01-2025 08:50 AM
I am currently running a PA-1410 and utilizing Globalprotect VPN and within that network I have a /24 internal subnet. I have attempted to set up a DNAT to assign a public IP to an internal server within the Globalprotect environment but I am not able to communicate to the public IP as it times out. I have allowed all traffic on the firewall to troubleshoot but was unsuccessful. I need to have the ability for other users to access only that server using the public IP. What would be the best method to accomplish this?
10-09-2025 09:29 PM
Hi @aarreola ,
Can you clarify what you mean by an "internal server within the Globalprotect environment"?
Are you trying to:
- Make a resource reachable by GlobalProtect clients?
- Publish an internal resource to the public internet via a public IP to be accessed by non-VPN users?
You’ll typically want a DNAT rule translating the public IP → internal server IP as well as create a corresponding security policy that allows inbound traffic from your untrust zone to the zone where the internal server actually is hosted in. **Also make sure that the internal server has a SNAT and security policy to reach the internet as well.
If the server is meant only for GP users, you don’t need a public IP at all. you’d simply publish it internally and ensure your GP client routes include that subnet.
Could you confirm which scenario applies?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
