https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35825#M26335 <HTML><HEAD></HEAD><BODY><P>Is it possible for you to setup a simple drawing for how everything is connected?</P><P></P><P>As debug (if possible) you could in the PA setup a rule at top which says:</P><P></P><P>From zone: Any</P><P>From address: Any</P><P>From user: Any</P><P>To zone: Any</P><P>To address: Any</P><P>Application: Any</P><P>Service: Any</P><P>Action: Allow</P><P>Options: Log on session start + Log on session end</P><P></P><P>The above would allow anything back and forth through your PA. The idea is if the above doesnt work then you have a malfunction regarding routing OR nating in your PA-box - or something bad going on at your remotesite.</P><P></P><P>So I would verifiy that the routing is correct at the PA-box (so the PA-box knows which interface to use to reach your remote site) but also verify so NAT-rules (if any) are correctly setup.</P></BODY></HTML> Mon, 28 Jan 2013 19:03:56 GMT mikand 2013-01-28T19:03:56Z https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35824#M26334 <HTML><HEAD></HEAD><BODY><P>Hello- Just recently migrated from an old Checkpoint to a PA-500. PA is setup in a Layer 3 configuration. So far so good with the exception of one thing. My remote location isn't able to get internet access. This remote location gets internet from my head end location as they do not have their own internet circuit. Everything for internal access works perfectly. This was working with the previous Checkpoint so it isn't a routing issue at the remote location. If I do a tracert from that remote location the trace stops at the trusted interface of the PA.</P><P></P><P>I have an outbound rule in place from Trust to Untrust and any application, but this is obviously not covering it for this remote location. </P><P></P><P>Any advice? I feel like I'm missing something really, really simple here.</P><P></P><P>Thanks in advance!</P></BODY></HTML> Mon, 28 Jan 2013 18:56:51 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35824#M26334 CCANCIENNE 2013-01-28T18:56:51Z https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35825#M26335 <HTML><HEAD></HEAD><BODY><P>Is it possible for you to setup a simple drawing for how everything is connected?</P><P></P><P>As debug (if possible) you could in the PA setup a rule at top which says:</P><P></P><P>From zone: Any</P><P>From address: Any</P><P>From user: Any</P><P>To zone: Any</P><P>To address: Any</P><P>Application: Any</P><P>Service: Any</P><P>Action: Allow</P><P>Options: Log on session start + Log on session end</P><P></P><P>The above would allow anything back and forth through your PA. The idea is if the above doesnt work then you have a malfunction regarding routing OR nating in your PA-box - or something bad going on at your remotesite.</P><P></P><P>So I would verifiy that the routing is correct at the PA-box (so the PA-box knows which interface to use to reach your remote site) but also verify so NAT-rules (if any) are correctly setup.</P></BODY></HTML> Mon, 28 Jan 2013 19:03:56 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35825#M26335 mikand 2013-01-28T19:03:56Z https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35826#M26336 <HTML><HEAD></HEAD><BODY><P>Drawing attached... Wondering if this a NAT issue since you mentioned it. Outside of the Top Level NAT rule I created when doing the layer 3 configuration I have no NAT rules in place specifically for the remote site.</P><P></P><P><IMG alt="WAN.JPG" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5372_WAN.JPG" /></P></BODY></HTML> Mon, 28 Jan 2013 19:57:56 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35826#M26336 CCANCIENNE 2013-01-28T19:57:56Z https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35827#M26337 <HTML><HEAD></HEAD><BODY><P>Issue resolved. I ended up opening a ticket with PA.</P><P>-Added a static route to the default virtual route for the specific location's network.</P><P>Thanks mikand for the initial help.</P></BODY></HTML> Tue, 29 Jan 2013 15:13:09 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35827#M26337 CCANCIENNE 2013-01-29T15:13:09Z https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35828#M26338 <HTML><HEAD></HEAD><BODY><P>You mean something like this:</P><P></P><P>You already had:</P><P></P><P>route 0.0.0.0/0 nexthop internetrouter</P><P></P><P>you added:</P><P></P><P>route &lt;remotesite&gt;/&lt;range&gt; nexthop &lt;headendrouter&gt;</P><P></P><P>?</P></BODY></HTML> Tue, 29 Jan 2013 16:46:01 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35828#M26338 mikand 2013-01-29T16:46:01Z https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35829#M26339 <HTML><HEAD></HEAD><BODY><P>Exactly that.</P></BODY></HTML> Tue, 29 Jan 2013 16:49:48 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-site-internet/m-p/35829#M26339 CCANCIENNE 2013-01-29T16:49:48Z