I was trying to apply some flex config but it wasn't appearing in the CLI.
After opening a case with TAC he showed that we need to edit the objects in
Device -> Flexconfig
Now we can deploy the policy to make the changes.
He also mentioned we should use AD authentication method
Also we found from the debug the mapping of our group should be as follows
CN=AD_GROUP_NAME,OU=VPN,OU=Groups,DC=CUSTOMER,DC=COM
Depending on which auth method you are using
Set putty to log
Get public IP from user
debug ldap 255
debug radius all
debug webvpn 255
watch the log and connect with your anyconnect user
For the source translation use dynamic-ip-and-port even if you are NAT'ing to a static IP. In the palo world static is only used for 1 to 1 translation.
Switched it to dynamic and issue resolved
src zone: inside
dst zone: MYMAP-30
src: N-10.40.0.0-16
dst: H-10.90.32.44-32
Src translation:
dynamic-ip-and-port
H-172.20.200.1-32
Do the usual checking settings match on both end.
Make sure you have an ACL to allow the traffic
Is there any NAT that needs to happen ?
Palo VPN commands
Check P1
Check P2
