topic Re: NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP in General Topics

NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

uscit — Tue, 16 Apr 2013 03:32:50 GMT

This is two parts:

1) I configured Destination NAT rules and corresponding Security Policies to allow inbound access to servers on private LAN. These all utilize the Primary ISP public IP address. If I want these internal servers accessible over the Secondary ISP (as we already have configured PBF failover to the secondary ISP should the primary go down), do I then have to create duplicate NAT rules and Security Policies for each, replacing the Primary ISP IP with the Secondary ISP IP? Or, is there a way to just do NATs and Security Policies to handle both ISPs in a single rule and corresponding policy?

2) With the PBF Failover, I've read about symmetric return being needed for Dual ISPs. The document "Symmetic Return.docx" gives an example, but it's Dual ISPs being NATed and Security Policy'ed to one internal server. If I have rules for several internal servers, does that mean I have to create several PBF rules enforcing symmetric return for each private server, or can I just create one PBF rule enabling symmetric return for the ISP the traffic came through on, period?

Re: NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

Retired Member — Fri, 31 May 2013 08:46:15 GMT

1) You have to create a second NAT rule which's interface will be different

2)You can use 1 rule regarding to ALL server IP addresses inside

Re: NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

Gregoux — Fri, 31 May 2013 14:15:13 GMT

Did you implement something like gslb?

if it done, the client will be redirected to the internal server via the public ip either from your first provider or the second (it depend the load balancing mecanisme, it could be a just a failover)

and you need 1 destinations NAT rule as destination orginal packet base on the 2 public ip and transfert to the same server private ip

regards

Re: NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

janu.rafi — Fri, 26 Feb 2016 06:44:30 GMT

Hi,

i have slightly different scenario here-

1) we have 2 ISP (ISP1 - eth1/1 & ISP2- eth1/8)

2) 3 zones - Trust, Wi-FI, Untrust (ISP1) & ISPB (ISP2)

3) Trust & Wi-Fi zones access internet via Untrust.

4) Destination NAT configured (published web apps ) on Untrust (ISP1 IP)

4) Trust & Wi-Fi machines are allowed to access published web apps using internet IP addresses.(U-turn NAT)

Desired setup (working)

1) internet access from Zone - Trust via ISP1 (untrust)

2) internet access from Zone - Wi-Fi via ISPB (ISP2)

Trouble facing:

1) Wi-Fi Zone users can't access published service (Destination NAT) from ISP-B (ex: webmail/vpn..etc)

[in a TCP 3-way handshake, syn is reaching to interal server but, syn-ack is not reaching the client]

Please help me to resolve the issue