https://live.paloaltonetworks.com/t5/globalprotect-discussions/a-global-protect-connected-client-machine-access-a-resource/m-p/549577#M4213 <P>Hello Everyone,<BR /><BR />I have a Palo Alto 820 Firewall locally and it has been licensed and configured with global protect for the remote mobility of our users. And It also has a Site-to-Site IPsec connectivity to a remote location of a different organization and the remote end of that organization has a Cisco router to configure the IPsec. There are existing successful connections of resources/end-point through the IPsec between the two sites and it is currently operational.&nbsp;<BR />So now this new requirement come up where the global protect client users in remote locations be able to access resources behind the remote site with the Cisco router through the IPsec tunnel. We have completed the required configuration and it was supposed to be working as we did a similar set up as the existing operational connection via the IPsec. Is there any extra configuration I need to add? Does it even work that way? #IPsec #Site-to-site #Cisco-to-PaloAlto <LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> Mon, 17 Jul 2023 12:37:57 GMT SisayFekadu 2023-07-17T12:37:57Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/a-global-protect-connected-client-machine-access-a-resource/m-p/549577#M4213 <P>Hello Everyone,<BR /><BR />I have a Palo Alto 820 Firewall locally and it has been licensed and configured with global protect for the remote mobility of our users. And It also has a Site-to-Site IPsec connectivity to a remote location of a different organization and the remote end of that organization has a Cisco router to configure the IPsec. There are existing successful connections of resources/end-point through the IPsec between the two sites and it is currently operational.&nbsp;<BR />So now this new requirement come up where the global protect client users in remote locations be able to access resources behind the remote site with the Cisco router through the IPsec tunnel. We have completed the required configuration and it was supposed to be working as we did a similar set up as the existing operational connection via the IPsec. Is there any extra configuration I need to add? Does it even work that way? #IPsec #Site-to-site #Cisco-to-PaloAlto <LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> Mon, 17 Jul 2023 12:37:57 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/a-global-protect-connected-client-machine-access-a-resource/m-p/549577#M4213 SisayFekadu 2023-07-17T12:37:57Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/a-global-protect-connected-client-machine-access-a-resource/m-p/550289#M4228 <P>Hi SisayFekadu,</P> <P>&nbsp;</P> <P>As i understand correctly you want. your mobile users connected via global protect to access resources over the IPSec tunnel you have with remote site. &nbsp;First thing to check of course is the routing. &nbsp;</P> <P>1. Is your global protect client configured for split tunneling or is everything send over the tunnel (default route over tunnel). &nbsp;If split tunneling is used you will need to add routes to reach the remote destination.</P> <P>2. If you have the above sorted out , your site to site VPN tunnel is this a route base or policy based VPN if it is policy base you might need to also adjust proxy ID's on both sides. &nbsp; Also check your routing on the remote site that it knows the mobile users subnet is to be routed over the tunnel.</P> <P>3. Of course you will also need firewall policies to allow the traffic to flow.</P> <P>So in short I see no reason why this requirement would not work it just needs the correct configuration steps.</P> <P>Tackle it one by one.</P> <P>&nbsp;</P> Thu, 20 Jul 2023 22:58:21 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/a-global-protect-connected-client-machine-access-a-resource/m-p/550289#M4228 GOMEZZZ 2023-07-20T22:58:21Z