Configure Secure Inbound Access for Remote Network Sites
Focus
Focus

Configure Secure Inbound Access for Remote Network Sites

Table of Contents

Configure Secure Inbound Access for Remote Network Sites

Describes the procedure you use to configure secure inbound access for a Prisma Access remote network connection.
If you have a Prisma Access deployment that allocates remote network bandwidth by compute location, configure inbound access by completing the following steps.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Remote Networks
    , and select
    Inbound Access Remote Networks
    .
  2. Add
    a remote network to for inbound access.
  3. Specify settings for the inbound access remote network connection.
    1. Enter a
      Name
      for the inbound access connection.
    2. Enter a
      Location
      .
      Inbound access supports a subset of locations.
    3. Specify a
      Bandwidth
      to use for the inbound access connection.
      You allocate bandwidth for inbound access connections on a per-location basis.
    4. Specify the
      Number of Public IPs
      to use for the inbound access connection.
      Specify either 5 or 10 public IP addresses. Each public IP allocation takes bandwidth (units) from your Remote Networks license, in addition to the bandwidth that you have allocated for the compute location associated to the remote network.
    5. Select the IPSec tunnel to use with the inbound access connection.
    6. Select whether or not you want to
      Allow inbound flows to other Remote Networks over the Prisma Access Backbone
      .
      If you have a resource that is in a remote network site that has inbound access enabled and you want users at non-inbound access sites to have access to that resource, you can
      Allow Inbound Flows To Other Remote Networks over the Prisma Access Backbone
      when you configure the non-inbound access remote network. If you allow inbound flows from other remote networks, you must enable source NAT.
    7. (
      Optional
      ) If you have a secondary WAN link at this location, select
      Enable Secondary WAN
      and provide an
      IPSec Tunnel
      that is different than the primary IPSec tunnel.
  4. Configure
    Static Routes
    ,
    BGP
    , and
    QoS
    for your deployment.
    This configuration is the same as a non-inbound access remote network connection.
  5. Click the
    Inbound Access
    tab to configure inbound access options.
    1. (
      Optional
      ) To disable source NAT, deselect
      Enable Source NAT
      .
      By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), or if you have not selected
      Allow inbound flows to other Remote Networks over the Prisma Access backbone
      , deselect
      Enable source NAT
      .
      You must
      Enable source NAT
      in the
      Inbound Access
      tab if you select this check box. Source NAT is a requirement to allow inbound flows to other remote networks.
    2. Add
      the applications to provide secure inbound access.
      You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10). Enter a unique
      Private IP
      address,
      Protocol
      , and
      Port
      combination for each application. It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you select
      TCP
      for one application and
      UDP
      for another application.
      Provide the following values:
      • Specify the name of the
        Application
        .
      • Specify the
        Private IP
        address to use with this application.
      • Specify the
        Protocol
        to use with the application (
        TCP
        or
        UDP
        ).
      • Specify the
        Port
        to use with the application.
      • Choose whether you want to dedicate a single public IP address to a single application; to do so, select
        Dedicated IP
        .
  6. Click
    OK
    to save your changes.
  7. Save
    and
    Commit
    your changes.
  8. Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then select
    Panorama
    Cloud Services
    Status
    Network Details
    Remote Networks
    and make a note of the
    Public Address
    that is associated with the
    App Name
    for application you created.
    If you selected
    Dedicated IP
    , find the single application that is associated with the
    Public Address
    .
  9. Create security policies to allow traffic from the inbound internet users.
    Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to configure security polices to allow untrust-to-trust traffic for your inbound access applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound applications. The following examples provide access to SSH servers, web portals, and RDP servers.
    1. Select
      Policies
      Security
      and
      Add
      a policy.
      Be sure to create this policy under the
      Remote_Network_Device_Group
      device group.
    2. Select the
      Source
      traffic as
      Untrust
      .
    3. Create a policy to allow SSH server traffic by selecting the
      Destination Zone
      for destination traffic as
      Trust
      and specifying a
      Destination Address
      of
      SSH-server-public
      . This is an Address or Address Group object you created that has a list of all the public IP addresses that are used for SSH login.
    4. Select an
      Application
      of
      ssh
      .
    5. Select a
      Service/URL Category
      of
      application-default
      to allow or deny applications based only their default ports as defined by Palo Alto Networks.
    6. In
      Actions
      , select
      Allow
      .
    7. Click
      OK
      to save the policy.
    8. Create a policy to allow web portal access by creating a policy in the previous steps but substituting the following settings in the
      Destination
      and
      Application
      tabs:
      • Select a
        Destination Address
        of an Address or Address Group of
        Web-Portal-Public
        , which contains all the public IP addresses of the web portal.
      • Select an
        Application
        of
        web-browsing
        .
    9. Create a security policy for RDP server access, using the same settings as you did for the other policies but creating an Address or Address Group object called
      RDP-Server-Public
      , which contains the public IP addresses for the RDP server, as the
      Destination Address
      and
      webrdp
      as the
      Application
      .
      When complete, you have three different policies to allow SSH server access, web portal access, and RDP server access.
  10. Save
    and
    Commit
    your changes.
  11. Check that the remote network connection is operational and correctly processing inbound traffic.
    1. Select
      Panorama
      Cloud Services
      Status
      Status
      Remote Networks
      and hover over the
      Status
      and
      Config Status
      areas to see the tunnel’s status.
    2. If you find issues, select
      Panorama
      Cloud Services
      Status
      Monitor
      Remote Networks
      , select the location of the remote network tunnel in the map, and hover over the
      Tunnel Status
      area to determine the cause of the error.

Recommended For You