How To Access External GP Portal/Gateway From a Guest Network Behind The Same Firewall
Objective
By default the connection to the external GlobalProtect Portal or Gateway for internal clients behind the same firewall can fail.
This example utilizes a Guest Network Zone for wireless users who are only allowed for outbound internet traffic. Administrator wishes to permit Guest Network users to access the internal resources but does not want to allow any traffic from the Guest network to the Internal network.
As a solution, administrator may choose to allow authorized users within the Guest Network to connect via their GlobalProtect clients to the external GlobalProtect Portal and Gateway permitting access to the internal resources.
By default, connectivity to the Portal/GW will fail. Reason being users attempting to connect to the portal will be traversing the Untrust interface of the PAN which will utilize the IP assigned via the dynamic NAT created for outbound access (i.e., the IP of the L3 untrust interface IP). As a result, global counters or flow-basic logs would typically indicate a potential LAND Attack/Spoof due to the source IP of the requesting client (NATd by the untrust interface) is also connecting to the same IP as a destination for Portal/GW termination.
Environment
GlobalProtect Portal and Gateway
Supported PANOS versions
Procedure
Option 1
Create a separate NAT (move to the top of the NAT policy list) utilizing a unique IP for a specific host/subnet (i.e., subnet specified for all guest network users) when accessing the portal. This NAT would be similar to the dynamic NAT utilized for outbound web access though would be tweaked slightly to define a destination IP for which the NAT will be applied (i.e., Portal/GW Address), the source subnet that the users reside as well as a source translation (dynamic-ip-and-port) utilizing a unique IP, seperate from the IP of the Portal/GW.
Following excerpt shows a successful connection from the Trust Network->Untrust (Public IP of Untrust Interface) being NATd using a unique IP (i.e., last octet in this example = .222):
> show session all filter destination 10.30.6.82
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
55372 web-browsing ACTIVE FLOW *NB 192.168.82.142[1395]/Trust/6 (10.30.6.222[21737]) vsys1 10.30.6.82[443]/Untrust (10.30.6.82[20077])
55466 ping ACTIVE FLOW NS 192.168.82.142[512]/Trust/1 (10.30.6.222[512]) vsys1 10.30.6.82[39424]/Untrust (10.30.6.82[39424])
55423 web-browsing ACTIVE FLOW *NB 192.168.82.142[1435]/Trust/6 (10.30.6.222[10228]) vsys1 10.30.6.82[443]/Untrust (10.30.6.82[20077])
55489 ping ACTIVE FLOW NS 192.168.82.142[512]/Trust/1 (10.30.6.222[512]) vsys1 10.30.6.82[39168]/Untrust (10.30.6.82[39168])
> show session id 55372
Session 55372
c2s flow:
source: 192.168.82.142 [Trust]
dst: 10.30.6.82
proto: 6
sport: 1395 dport: 443
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.30.6.82 [Untrust]
dst: 10.30.6.222
proto: 6
sport: 20077 dport: 21737
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Thu Jul 5 10:16:53 2012
timeout : 60 sec
total byte count(c2s) : 3308
total byte count(s2c) : 10292
layer7 packet count(c2s) : 17
layer7 packet count(s2c) : 21
vsys : vsys1
application : web-browsing
rule : GlobalProtect-Guest
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : GW-TEST(vsys1)
layer7 processing : completed
URL filtering enabled : True
URL category : private-ip-addresses
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/6
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
Option 2
This option allows traffic destined for the untrust interface IP strictly as L3 (no nat). Create a new NAT rule (move to the top of the NAT policy list) defining the source IP/subnet of the Zone requiring external GP access, specify the destination IP of the GW & leave both Source & Destination Translation as 'none'. Following the commit, this will allow users accessing these resources directly bypassing any limitations resulting from egress traffic being NATd.
Sample session output below showing traffic as still having a ND flag though the NAT rule itself is 'NON-NAT' allowing successful access to the public address of the portal:
> show session all filter source 192.168.82.142 destination 10.30.6.82
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
10196 ipsec-esp-udp ACTIVE FLOW 192.168.82.142[4821]/Trust/17 (192.168.82.142[4821]) vsys1 10.30.6.82[4501]/Untrust (10.30.6.82[4501])
10813 web-browsing ACTIVE FLOW *ND 192.168.82.142[1706]/Trust/6 (192.168.82.142[1706]) vsys1 10.30.6.82[443]/Untrust (10.30.6.82[20077])
> show session id 10813
Session 10813
c2s flow:
source: 192.168.82.142 [Trust]
dst: 10.30.6.82
proto: 6
sport: 1706 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.30.6.82 [Untrust]
dst: 192.168.82.142
proto: 6
sport: 20077 dport: 1706
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Thu Jul 5 15:24:51 2012
timeout : 60 sec
time to live : 52 sec
total byte count(c2s) : 1131
total byte count(s2c) : 816
layer7 packet count(c2s) : 7
layer7 packet count(s2c) : 4
vsys : vsys1
application : web-browsing
rule : rule1
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NO-NAT(vsys1)
layer7 processing : completed
URL filtering enabled : True
URL category : private-ip-addresses
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/6
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
owner: bryan