Global protect client to access IPSEC peer networks.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect client to access IPSEC peer networks.

L1 Bithead

Hello - my query is that "Is it possible for Global protect client users of HO to access the resources located at branch office over IPSEC tunnel?

 

We have 3 branch locations configured Site to site IPSEC tunnels.

 

Since I created a access rule in HO for the same but no success.

 

Please suggest 

4 REPLIES 4

Cyber Elite
Cyber Elite

@amar,

This is easily accomplished when everything is actually in place and setup properly. A common thing I see people forget is the routing on the branch office side of things. You'll need a route on the BO so it actually knows it needs to send the GlobalProtect IPs back to the HO. What you're likely running into is the BO doesn't know where to send the GlobalProtect traffic once it's been received. 

Thank you so much

I am sorry I forgot to mention the BO sites are CheckPoint devices and it supports policy-based VPN only. The GlobalProtect IP is configured in the VPN Policies as HO networks and is also allowed in Access rules bidirectionally.

Cyber Elite
Cyber Elite

@amar,

It's been a long time since I've worked with Checkpoint in any real capacity (currently I'm more migrating people's configurations from CheckPoint to PAN), but I'd be verifying that the return traffic is actually hitting your HO firewall from the BO. If you aren't seeing the return traffic it's dying on the vine and you'll need to address the BO routing, but if it's making it back to the HO you have some other issue happening with routing or policy that you'll need to address on the HO side of things.

So to start with I guess, are you seeing the return traffic make it back from the BO to the HO? 

@BPry 

Yes, GlobalProtect IP object was missing at BO access policy. Just added and it worked.

Thank you so much.

  • 1640 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!