Routing traffic from branch through HQ to vendor

Reply
Highlighted
L1 Bithead

Routing traffic from branch through HQ to vendor

example.jpg

 

Currently Im labing a situtation where I'll need to have branch users route to a vendor through HQ via IPsec tunnels. Users at my banch access can acesss Web/HQ services though the HQ firewall, but when accessing the vendor. Logs show from HQ the attempts to the vendor from the branch office. But nothing but incompletes/aged-out. 

 

From HQ, I do see active connections for  phaseII for the branch/vendor connection but of course no encap/decaps.

 

Also I do have redistrabution profiles for Branch and Vendor connections on the HQ firewall.

 

Thoughts? 

L1 Bithead

Re: Routing traffic from branch through HQ to vendor

Just found this, which Im spot on. I do worry that my vendor side might be incorrect

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-To-Connect-2-Branch-Locations-to-Con...

L1 Bithead

Re: Routing traffic from branch through HQ to vendor

So found I the problem, or "more of a design issue".

 

The dynamic vpn setup on my branch side, is the issue to the vendor. I relized that when settting up a direct connection from branch to vendor. The vendor does not support Nat-T!!!! Doh!!!! Which is why I would see the out bound encaps but no decaps back on the HQ side.

 

Back to the drawing board... Hopefully this stops someone form spinning their wheels

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!