This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

A global protect connected client machine access a resource(behind Cisco router) that is connected to the host PA 800 Firewall via IPsec

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

A global protect connected client machine access a resource(behind Cisco router) that is connected to the host PA 800 Firewall via IPsec

SisayFekadu
L0 Member

‎07-17-2023 05:37 AM

Hello Everyone,

I have a Palo Alto 820 Firewall locally and it has been licensed and configured with global protect for the remote mobility of our users. And It also has a Site-to-Site IPsec connectivity to a remote location of a different organization and the remote end of that organization has a Cisco router to configure the IPsec. There are existing successful connections of resources/end-point through the IPsec between the two sites and it is currently operational. 
So now this new requirement come up where the global protect client users in remote locations be able to access resources behind the remote site with the Cisco router through the IPsec tunnel. We have completed the required configuration and it was supposed to be working as we did a similar set up as the existing operational connection via the IPsec. Is there any extra configuration I need to add? Does it even work that way? #IPsec #Site-to-site #Cisco-to-PaloAlto GlobalProtect 

Sisay Fekadu Wolde
GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
0 Likes Likes
1 REPLY 1

GOMEZZZ
L2 Linker

‎07-20-2023 03:58 PM

Hi SisayFekadu,

 

As i understand correctly you want. your mobile users connected via global protect to access resources over the IPSec tunnel you have with remote site.  First thing to check of course is the routing.  

1. Is your global protect client configured for split tunneling or is everything send over the tunnel (default route over tunnel).  If split tunneling is used you will need to add routes to reach the remote destination.

2. If you have the above sorted out , your site to site VPN tunnel is this a route base or policy based VPN if it is policy base you might need to also adjust proxy ID's on both sides.   Also check your routing on the remote site that it knows the mobile users subnet is to be routed over the tunnel.

3. Of course you will also need firewall policies to allow the traffic to flow.

So in short I see no reason why this requirement would not work it just needs the correct configuration steps.

Tackle it one by one.

 

0 Likes Likes
  • 639 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks