Hi PHowse
In the scenario you explained, where the remote sites can communicate already with the main site, I think you need to following:
A route for the internal subnets of Site RB with a next-hop of the Main Site. (I cant tell to what address because I dont know the complete topology nor the configuration on the devices).
A route for the internal subnets of Site RA with a next-hop of the Main Site.
A security-policy allowing traffic from/to the internal subnets of the remote sites. I cant tell the from-zone and to-zone to be configured on the security policy because again I dont know the topology nor your configuration.
If you would like to share some more information I will advise to provide:
- Main site:
- > show route [RA_site_internal_subnet]
- > show route [RB_site_internal_subnet]
- > show security zones
- RA site:
- > show route [MAIN_site_internal_subnet]
- > show route [RA_site_internal_subnet]
- > show security zones
- RB site:
- > show route [MAIN_site_internal_subnet]
- > show route [RB_site_internal_subnet]
- > show security zones