I'm a fresh man to paloalto devices and I'm facing a problem.
Site A has a subnet 192.168.100.0/24. Site B has 192.168.40.0/21. Both sites use PA820.
Site A has a IPsec tunnel to Site B. This tunnel is running good.
Now we have a new Site C, 192.168.52.0/24, using a non-paloalto firewall. I can set up a tunnel between B and C , C can access B now.
The topology looks like below.
Site A =========site B ========= site C
For some reasons, I cannot set up a tunnel between A and C. But our business requires C to access A.
My question is, is there any solution that can use PA820 at site B to allow access from C to A?
To access SiteA from SiteC:
In tunnel config between A->B: add subnet of SiteC in remote Proxy ID at Site A and Local Proxy ID at site B
In tunnel config between B->C: add subnet of SiteA in remote encryption domain at Site C and Local Proxy ID at site B
Make sure that subnets 192.168.52.0/24 and 192.168.100.0/24 are not used locally at sites A and C respectively(causes routing issues).
Add required routing and security rules.
As you configured a tunnel between PaloAlto at Site B to Site C, you should be able to configure one between SiteA and SiteC.Please verify the configuration.
Hi @mercurr ,
If I may summarize as high overview the steps provide from @Lohith_Reddy :
- First add the network in SiteC to the VPN encryption domain/intersting traffic.
- Second create routes for network in SiteC to point to the righr tunnel
- Create appropriate rules for allowing traffic from A to C. Depending on your setup (in which zone you have configured the vpn tunnels) the rule at SiteB most probably will be intrazone rule (ex. If you put all vpn tunnels to "vpn" zone, at siteB your rule will be from zone "vpn" to zone "vpn")
Thank you for your reply @Lohith_Reddy ,
from my view, I need to add proxy ID of site C to site A and add proxy ID of site A to site C , is that right?
And here comes a problem, I don't have access to any settings at site A. I'm trying not to do changes at site A.
Is there any way to avoid changes at site A?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!