topic Re: forward from multiple WAN to one host LAN in General Topics

forward from multiple WAN to one host LAN

marcinpudysz — Wed, 11 Jan 2012 22:13:21 GMT

Hi,
I need a little help with PA configuration. I have two WAN links.
WAN1 - 1.1.1.1
WAN2 - 2.2.2.2
and a host on the network 3.3.3.3
3.3.3.3 ip is a terminal server. All computers go through WAN1 link. I need to configure the PA so I can login to the server via IP WAN1 and IP WAN2. I ask for directions if possible. Advance thank you very much.

Re: forward from multiple WAN to one host LAN

rmonvon — Wed, 11 Jan 2012 22:50:02 GMT

You need to define 2 inbound NAT rules on the PA firewall.

rule1 dest=1.1.1.1 translate to destIP=3.3.3.3

rule2 dest=2.2.2.2 translate to destIP=3.3.3.3

The inbound NAT setting can be found here: https://live.paloaltonetworks.com/docs/DOC-1517

You must also define security rule(s) to allow the traffic (i.e. the ms-rdp app) from the WAN to 3.3.3.3.

Thanks.

Re: forward from multiple WAN to one host LAN

marcinpudysz — Thu, 12 Jan 2012 22:28:31 GMT

thank you for your reply.
That's what I did and it did not work.
It works only on a WAN link (1.1.1.1) which is set in the virtual router as the default route. I can not connect to a terminal server via WAN2 link (2.2.2.2). I think theproblem is in the configuration of virtual router. If I change the default route is WAN2can connect only through WAN2.

Re: forward from multiple WAN to one host LAN

kbrazil — Thu, 12 Jan 2012 23:41:05 GMT

Make sure to put both WAN links in the same zone. Looks like you are seeing asymmetric routing with the return flows and the sessions are probably not matching up. I'm not sure, but there may be other fancy ways of fixing this with Policy Based Forwarding.

Cheers,

Kelly

Re: forward from multiple WAN to one host LAN

marcinpudysz — Fri, 13 Jan 2012 00:14:45 GMT

Thank you very much for your help. Everything works very well.
Both WAN interfaces must be in the same zone.
For virtual router I had to add two routes 0.0.0.0 / 0 with different metrics. Once again,thank you very much.

Re: forward from multiple WAN to one host LAN

s_dutto — Tue, 05 Jun 2012 07:39:34 GMT

I continue this discussion because we experimented exactly the same problem, and we applied the proposal configuration that we found in the previous post.

We have the two WAN interfaces in the same zone. We configured the two routes 0.0.0.0/0 with different metrics, but we don't solve the problem.

At the moment it's possible to access to the internal host only from one of the two WAN interfaces, not from the the other one.

Can anyone help me?

Re: forward from multiple WAN to one host LAN

rmonvon — Tue, 05 Jun 2012 12:35:16 GMT

Do you have 2 public IP ranges, 1 IP range per ISP? It may that ISP1 will not permit IP of ISP2, or vice versa. Traffic coming into ISP2 is be replied out ISP1 due the default route and ISP1 is dropping the traffic.

Re: forward from multiple WAN to one host LAN

s_dutto — Tue, 05 Jun 2012 12:58:57 GMT

THE SITUATION YESTERDAY

two different provider

ISP1 - 1.1.1.0/24

ISP2 - 2.2.2.0/24

INTERNAL HOST - 3.3.3.3/32

NAT RULES

1.1.1.10 -> 3.3.3.3

2.2.2.10 -> 3.3.3.3

ROUTES

0.0.0.0/0 -> 1.1.1.1

if I use 1.1.1.10 I can access the host, if I use 2.2.2.10 no. We look at the traffic in this second case. The packets enter the ISP2, reach the internal host 3.3.3.3 and go outside (using routing table) ISP1 so it doesn't work.

THE SITUATION TODAY (after reading this discussion)

two different provider

ISP1 - 1.1.1.0/24

ISP2 - 2.2.2.0/24

INTERNAL HOST - 3.3.3.3/32

NAT RULES

1.1.1.10 -> 3.3.3.3

2.2.2.10 -> 3.3.3.3

ROUTES (as suggested in this post)

0.0.0.0/0 -> 1.1.1.1 (metric x)

0.0.0.0/0 -> 2.2.2.1 (metric y)

I don't understand how this solution can work. If I use 1.1.1.10 all is ok. If I use 2.2.2.10 the packet enter ISP2, reach the INTERNAL HOST 3.3.3.3 and go outside ISP1 (using the routing table).

Is there any solution I can configure to use both ISP1 and ISP2?

thank you

Re: forward from multiple WAN to one host LAN

marcinpudysz — Tue, 05 Jun 2012 13:21:52 GMT

It's work fine. If you use pbf rules you must add new rule with destination address 3.3.3.3 and action no-pbf.

in some situations may arise asymetric routing. (i have that problem and this is solusion)

Re: forward from multiple WAN to one host LAN

rmonvon — Tue, 05 Jun 2012 19:20:48 GMT

It appears your 2 ISPs will only permit their own IP range and not the other ISP's. We need to ensure the return traffic goes out the same ISP. Try this:

PA1 default route 0.0.0.0/0 --> 1.1.1.1

PA2 default route 0.0.0.0/0 --> 2.2.2.2

Do not sync the virtual-router (VR) so each PA will keep its own def route. This setting in under the HA configuration.

On the inbound NAT, you need to do BOTH src & dst NAT so the return packets will come back to the same PA. Let's say the inside IP of PA1 is 3.3.3.1 and PA2 is 3.3.3.2.

NAT RULES on PA1:

srcIP: any --> 3.3.3.1 and dstIP: 1.1.1.10 -> 3.3.3.3

This ensures the replies from 3.3.3.3 will go back to 3.3.3.1, PA1.

NAT RULES on PA2:

srcIP: any --> 3.3.3.2 and dstIP: 2.2.2.10 -> 3.3.3.3

This ensures the replies from 3.3.3.3 will go to 3.3.3.2, PA2.