How to Create Inbound NAT to a Single Server with 2 ISPs Without Using Symmetric Return
Resolution
Details
When a Palo Alto Networks firewall has access to two or more service providers, creating an inbound NAT rule has to be done differently because of the fact that inbound traffic might come from either ISP.
For this example;
- Public IP address to be used from ISP "A" will be 1.1.1.1 and connected to Ethernet 1/1
- Public IP address to be used from ISP "B" will be 2.2.2.2 and connected to Ethernet 1/2
- Firewall's default gateway points to ISP "A"
A crucial requirement for this scenario is for the server to have two internal IP addresses. 172.16.1.10 and 172.16.1.11 will be used for this example.
Another alternative would be to use the symmetric return feature which alleviates the need for multiple IP addresses on the server, reference the following article for more information on configuring symmetric return for the same scenario:
How to Configure Symmetric Return
NAT Rules
| Rule Number | Source | Destination | Action |
|---|---|---|---|
| 1 | Untrusted Zone | 1.1.1.1 | Translate Destination IP to 172.16.1.10 |
| 2 | 172.16.1.10 | Untrusted Zone | Translate Source IP to 1.1.1.1 |
| 3 | Untrusted Zone | 2.2.2.2 | Translate Destination IP to 172.16.1.11 |
| 4 | 172.16.1.11 | Untrusted Zone | Translate Source IP to 2.2.2.2 |
Policy Based Forwarding (PBR) Rule
| Source | Destination | Forwarding |
|---|---|---|
| 172.16.1.11 | Untrusted Zone | Action : Forwarding
Egress Interface : Ethernet 1/2 Next Hop : <ISP "B"s gateway IP> |
Security Rules
Create the necessary rules to allow traffic to/from the server and commit the changes.
owner: jteetsel