- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-28-2013 10:56 AM
Hello- Just recently migrated from an old Checkpoint to a PA-500. PA is setup in a Layer 3 configuration. So far so good with the exception of one thing. My remote location isn't able to get internet access. This remote location gets internet from my head end location as they do not have their own internet circuit. Everything for internal access works perfectly. This was working with the previous Checkpoint so it isn't a routing issue at the remote location. If I do a tracert from that remote location the trace stops at the trusted interface of the PA.
I have an outbound rule in place from Trust to Untrust and any application, but this is obviously not covering it for this remote location.
Any advice? I feel like I'm missing something really, really simple here.
Thanks in advance!
01-29-2013 07:13 AM
Issue resolved. I ended up opening a ticket with PA.
-Added a static route to the default virtual route for the specific location's network.
Thanks mikand for the initial help.
01-28-2013 11:03 AM
Is it possible for you to setup a simple drawing for how everything is connected?
As debug (if possible) you could in the PA setup a rule at top which says:
From zone: Any
From address: Any
From user: Any
To zone: Any
To address: Any
Application: Any
Service: Any
Action: Allow
Options: Log on session start + Log on session end
The above would allow anything back and forth through your PA. The idea is if the above doesnt work then you have a malfunction regarding routing OR nating in your PA-box - or something bad going on at your remotesite.
So I would verifiy that the routing is correct at the PA-box (so the PA-box knows which interface to use to reach your remote site) but also verify so NAT-rules (if any) are correctly setup.
01-28-2013 11:57 AM
Drawing attached... Wondering if this a NAT issue since you mentioned it. Outside of the Top Level NAT rule I created when doing the layer 3 configuration I have no NAT rules in place specifically for the remote site.
01-29-2013 07:13 AM
Issue resolved. I ended up opening a ticket with PA.
-Added a static route to the default virtual route for the specific location's network.
Thanks mikand for the initial help.
01-29-2013 08:46 AM
You mean something like this:
You already had:
route 0.0.0.0/0 nexthop internetrouter
you added:
route <remotesite>/<range> nexthop <headendrouter>
?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!