A global protect connected client machine access a resource(behind Cisco router) that is connected to the host PA 800 Firewall via IPsec

Showing results for 
Show  only  | Search instead for 
Did you mean: 

A global protect connected client machine access a resource(behind Cisco router) that is connected to the host PA 800 Firewall via IPsec

L0 Member

Hello Everyone,

I have a Palo Alto 820 Firewall locally and it has been licensed and configured with global protect for the remote mobility of our users. And It also has a Site-to-Site IPsec connectivity to a remote location of a different organization and the remote end of that organization has a Cisco router to configure the IPsec. There are existing successful connections of resources/end-point through the IPsec between the two sites and it is currently operational. 
So now this new requirement come up where the global protect client users in remote locations be able to access resources behind the remote site with the Cisco router through the IPsec tunnel. We have completed the required configuration and it was supposed to be working as we did a similar set up as the existing operational connection via the IPsec. Is there any extra configuration I need to add? Does it even work that way? #IPsec #Site-to-site #Cisco-to-PaloAlto GlobalProtect 

Sisay Fekadu Wolde

L2 Linker

Hi SisayFekadu,


As i understand correctly you want. your mobile users connected via global protect to access resources over the IPSec tunnel you have with remote site.  First thing to check of course is the routing.  

1. Is your global protect client configured for split tunneling or is everything send over the tunnel (default route over tunnel).  If split tunneling is used you will need to add routes to reach the remote destination.

2. If you have the above sorted out , your site to site VPN tunnel is this a route base or policy based VPN if it is policy base you might need to also adjust proxy ID's on both sides.   Also check your routing on the remote site that it knows the mobile users subnet is to be routed over the tunnel.

3. Of course you will also need firewall policies to allow the traffic to flow.

So in short I see no reason why this requirement would not work it just needs the correct configuration steps.

Tackle it one by one.


  • 1 replies
  • 47 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!