How to Configure Global Protect Gateway on Loopback Interface with iPhone Access

How to Configure Global Protect Gateway on Loopback Interface with iPhone Access

119455
Created On 09/25/18 17:50 PM - Last Modified 05/05/20 23:33 PM


Symptom


In addition to using a non-https Global Protect Portal, you can access an associated Gateway on a configured loopback interface. If you only have one public-facing IP address, and you wish to host SSL-based applications, such as OWA on that IP, the following information provides the configuration steps for doing so.

 

Please follow Knowledge Base article How to Configure GlobalProtect Portal Page to be Accessed on any Port with one caveat. You'll need to create a second loopback interface in addition to the first loopback interface used for the Portal.



Environment


  • Pan-OS
  • GlobalProtect


Resolution


Create additional loopback interface

Make sure the untrust interface can ping the loopback.

> ping source 99.7.172.157 host 10.1.1.

    PING 10.1.1.2 (10.1.1.2) from 99.7.172.157 : 56(84) bytes of data.

    64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.126 ms

    64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.068 ms

 

    User-added image

Assign loopback interface as the Portal address

User-added image

Assign loopback.2 interface as the Gateway address

User-added image

 

Create the following services and add them to a service group.

These services will be natted to our Gateway loopback interface. In this example, services were created destined for ports 500 (ike/ciscovpn), 4501 (ipsec-esp-udp).

The two custom services are added in addition to the predefined service-https to the gateway service group profile.

 

Create the services

  services.png

Add the services to a service group object

gateway.png

Create the security policies as needed.

As noted in the prior KB article,  a rule is needed for the Portal page to redirect that traffic on a non-ssl standard port to our first loopback interface.

Here GP portal is accessed on port 7000 instead of port 443. Below this rule, another rule is created to the gateway allowing ike, ipsec, panos-global-protect, ssl and web-browsing respectively.

 

secpolicy.png

 

Create the NAT policy which will forward traffic to the second loopback (loopback.2) interface.

In this example, the gateway service group is utilized and used to forward traffic to 10.1.1.2, the loopback.2 interface previously configured.

 

natpolicy.png

 

Configure iPhone/iPad on the Gateway.

Enable 'X-Auth Support' on the gateway and create a Group Name and the Group Password respectively. This will be utilized when configuring the VPN profile on the mobile devices.

 

User-added image

 

Create the VPN Profile on the iPhone/iPad using the shared secret configured in the previous step. The password in the profile will need to match with the authentication method chosen (ie ldap, kerberos,localdb, etc).

iphone.PNG

 



Additional Information


Confirm access via your Global Protect client as well as your mobile device.

 

> show global-protect-gateway current-user

 

        GlobalProtect Name : gp-gateway (2 users)

        Domain User Name      Computer        Client          Private IP      Public IP      ESP    SSL    Login Time      Logout/Expiration TTL     Inactivity TTL

        ------ ---------      ---------      ----------      ---------      ---    ---    ----------      ----------------- ---      ----------- ---

              \renato          PAN01347        Windows 7 (Version 6.1 Build 7601 Service Pack 1)10.10.10.2      64.124.57.5    exist  none    Oct.02 06:04:01 Nov.01 06:04:01  2589926  9641

              \renato          64.124.57.5    iPhone OS:6.0  10.10.10.1      64.124.57.5    exist  none    Oct.02 06:38:33 Oct.02 07:39:33  3657     10798

 

 

owner: rkalugdan



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language