Configuration Changes Required on GlobalProtect with an Upstream NAT Device
22540
Created On 09/25/18 17:50 PM - Last Modified 05/09/23 21:20 PM
Symptom
This document describes how to make the required configuration changes for GlobalProtect when a Palo Alto Networks device with a private IP address on the untrust interface is being NATed by an upstream device with a public IP address.
Environment
- Palo Alto Firewalls.
- PAN-OS 7.1 and above.
- GlobalProtect.
- NAT configured on Upstream device.
Resolution
Example scenario:
PAN Eth1/3 192.168.1.1 (Private IP) with a Static NAT on the upstream device of 1.1.1.1 (Public IP)
Steps
The following steps applies the IP addresses from the example scenario described above.
- Generate Portal and Gateway server certificates with the Common Name configured for the Public IP address: FQDN that resolve to 1.1.1.1 or IP address of 1.1.1.1 as Common Name.
- To setup the GlobalProtect Portal go to GUI: Network > GlobalProtect > Portal > Portal Configuration and use the untrust interface Eth1/3 and Private IP address assigned to interface.
- Select the Server Certificate with the Public IP address for Common Name.
- Configure Client Configuration Gateway IP address to the Public IP address
- GUI: Network > GlobalProtect > Portal > Client Configuration > Add > Gateway > External Gateways > Add
The portal will send the GW IP address that the client will connect to and it will need to be the NAT Public IP address, which is this example: 1.1.1.1. - To configure the GlobalProtect Gateway go to GUI: Network > GlobalProtect > Gateway > Add and use the untrust interface Eth1/3 and Private IP address assigned to interface.