How to Configure Global Protect Gateway on Loopback Interface with iPhone Access
In addition to using a non-https Global Protect Portal, you can access an associated Gateway on a configured loopback interface. If you only have one public-facing IP address, and you wish to host SSL-based applications, such as OWA on that IP, the following information provides the configuration steps for doing so.
Please follow Knowledge Base article How to Configure GlobalProtect Portal Page to be Accessed on any Port with one caveat. You'll need to create a second loopback interface in addition to the first loopback interface used for the Portal.
Create additional loopback interface
Make sure the untrust interface can ping the loopback.
> ping source 22.214.171.124 host 10.1.1.
PING 10.1.1.2 (10.1.1.2) from 126.96.36.199 : 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.126 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.068 ms
Assign loopback interface as the Portal address
Assign loopback.1 interface as the Gateway address
Create the following services and add them to a service group.
These services will be natted to our Gateway loopback interface. In this example, services were created destined for ports 500 (ike/ciscovpn), 4501 (ipsec-esp-udp).
The two custom services are added in addtion to the predefined service-https to the gateway service group profile.
Create the services
Add the services to a service group object
Create the security policies as needed.
As noted in the prior KB article, a rule is needed for the Portal page to redirect that traffic on a non-ssl standard port to our first loopback interface.
Here GP portal is accessed on port 7000 instead of port 443. Below this rule, another rule is created to the gateway allowing ike, ipsec, panos-global-protect, ssl and web-browsing respectively.
Create the NAT policy which will forward traffic to the second loopback (loopback.1) interface.
In this example, the gateway service group is utilized and used to forward traffic to 10.1.1.2, the loopback.1 interface previously configured.
Configure iPhone/iPad on the Gateway.
Enable 'X-Auth Support' on the gateway and create a Group Name and the Group Password respectively. This will be utilized when configuring the VPN profile on the mobile devices.
Create the VPN Profile on the iPhone/iPad using the shared secret configured in the previous step. The password in the profile will need to match with the authentication method chosen (ie ldap, kerberos,localdb, etc).
Confirm access via your Global Protect client as well as your mobile device.
> show global-protect-gateway current-user
GlobalProtect Name : gp-gateway (2 users)
Domain User Name Computer Client Private IP Public IP ESP SSL Login Time Logout/Expiration TTL Inactivity TTL
------ --------- --------- ---------- --------- --- --- ---------- ----------------- --- ----------- ---
\renato PAN01347 Windows 7 (Version 6.1 Build 7601 Service Pack 1)10.10.10.2 188.8.131.52 exist none Oct.02 06:04:01 Nov.01 06:04:01 2589926 9641
\renato 184.108.40.206 iPhone OS:6.0 10.10.10.1 220.127.116.11 exist none Oct.02 06:38:33 Oct.02 07:39:33 3657 10798