Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Remote site internet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Remote site internet

L1 Bithead

Hello- Just recently migrated from an old Checkpoint to a PA-500. PA is setup in a Layer 3 configuration. So far so good with the exception of one thing. My remote location isn't able to get internet access. This remote location gets internet from my head end location as they do not have their own internet circuit. Everything for internal access works perfectly. This was working with the previous Checkpoint so it isn't a routing issue at the remote location. If I do a tracert from that remote location the trace stops at the trusted interface of the PA.

I have an outbound rule in place from Trust to Untrust and any application, but this is obviously not covering it for this remote location.

Any advice? I feel like I'm missing something really, really simple here.

Thanks in advance!

1 accepted solution

Accepted Solutions

L1 Bithead

Issue resolved. I ended up opening a ticket with PA.

-Added a static route to the default virtual route for the specific location's network.

Thanks mikand for the initial help.

View solution in original post

5 REPLIES 5

L6 Presenter

Is it possible for you to setup a simple drawing for how everything is connected?

As debug (if possible) you could in the PA setup a rule at top which says:

From zone: Any

From address: Any

From user: Any

To zone: Any

To address: Any

Application: Any

Service: Any

Action: Allow

Options: Log on session start + Log on session end

The above would allow anything back and forth through your PA. The idea is if the above doesnt work then you have a malfunction regarding routing OR nating in your PA-box - or something bad going on at your remotesite.

So I would verifiy that the routing is correct at the PA-box (so the PA-box knows which interface to use to reach your remote site) but also verify so NAT-rules (if any) are correctly setup.

Drawing attached... Wondering if this a NAT issue since you mentioned it. Outside of the Top Level NAT rule I created when doing the layer 3 configuration I have no NAT rules in place specifically for the remote site.

WAN.JPG

L1 Bithead

Issue resolved. I ended up opening a ticket with PA.

-Added a static route to the default virtual route for the specific location's network.

Thanks mikand for the initial help.

You mean something like this:

You already had:

route 0.0.0.0/0 nexthop internetrouter

you added:

route <remotesite>/<range> nexthop <headendrouter>

?

Exactly that.

  • 1 accepted solution
  • 3395 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!