https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30325#M22173 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am in the process of migrating internet connections, at the moment we have a PA-500 with 3 active internet connections, traffic is routed between different connections using policy routing. This is fine for outbound traffic, however inbound does not work as the traffic attempts to return via the default gateway.</P><P></P><P>There seems to be no implementation of Reverse Path Forwarding (RPF) to return the traffic for the origin interface.</P><P></P><P>I need to know if there is a way to set this up. The problem at hand is our mail and webmail is coming in on the "eth0/1" interface which will soon be decommisioned, however during the interum (DNS propergation) we need to have both eth0/1 and eth0/3 accepting traffic for https, smtp, and smtps simaltaniously with the default route going via eth0/3.</P><P></P><P>I have attempted to try and return the traffic via PBF with no success.</P><P></P><P>My goal is:</P><P></P><P>Default Route - eth0/3</P><P>Incoming traffic on eth0/1 goes to internal network, then returns via eth0/1, NOT eth0/3</P><P></P><P>Please help before I loose all my hair <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Dean.</P></BODY></HTML> Wed, 09 Mar 2011 06:55:39 GMT andyyps 2011-03-09T06:55:39Z https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30325#M22173 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am in the process of migrating internet connections, at the moment we have a PA-500 with 3 active internet connections, traffic is routed between different connections using policy routing. This is fine for outbound traffic, however inbound does not work as the traffic attempts to return via the default gateway.</P><P></P><P>There seems to be no implementation of Reverse Path Forwarding (RPF) to return the traffic for the origin interface.</P><P></P><P>I need to know if there is a way to set this up. The problem at hand is our mail and webmail is coming in on the "eth0/1" interface which will soon be decommisioned, however during the interum (DNS propergation) we need to have both eth0/1 and eth0/3 accepting traffic for https, smtp, and smtps simaltaniously with the default route going via eth0/3.</P><P></P><P>I have attempted to try and return the traffic via PBF with no success.</P><P></P><P>My goal is:</P><P></P><P>Default Route - eth0/3</P><P>Incoming traffic on eth0/1 goes to internal network, then returns via eth0/1, NOT eth0/3</P><P></P><P>Please help before I loose all my hair <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Dean.</P></BODY></HTML> Wed, 09 Mar 2011 06:55:39 GMT https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30325#M22173 andyyps 2011-03-09T06:55:39Z https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30326#M22174 <HTML><HEAD></HEAD><BODY><P>Source nat traffic coming in via eth0/1, that way it will be routed back to the correct interface. That is at least one way of solving it.</P></BODY></HTML> Wed, 09 Mar 2011 07:39:59 GMT https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30326#M22174 rapoint_person 2011-03-09T07:39:59Z https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30327#M22175 <HTML><HEAD></HEAD><BODY><P>Can you give me an example of how I would do this? I have configured "dynamic ip and port" to the next hop with no dice.</P></BODY></HTML> Thu, 10 Mar 2011 00:05:19 GMT https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30327#M22175 andyyps 2011-03-10T00:05:19Z https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30328#M22176 <HTML><HEAD></HEAD><BODY><P>My idea was this:</P><P></P><P>1. Source NAT (And destination nat) traffic coming in on ethernet0/1. Let's say:</P><P>Original SRC packet: 195.1.1.1</P><P>Original DST packet: 210.1.1.1</P><P>NAT SRC packet: 192.168.1.1</P><P>NAT DST packet:10.1.1.1</P><P></P><P>2. Keep your default route pointing to ethernet0/3</P><P></P><P>The idea beeing the 192.168.1.1 source address will be the new source of the packet and should be routed back to the correct interface (ethernet0/1) simply because it is a connected route. No need for PBF for this traffic.</P><P></P><P>I have never tried this in a Palo box (but a similar config in a Juniper/Netscreen worked).</P><P></P><P>Let me know how it works!</P></BODY></HTML> Thu, 10 Mar 2011 18:53:22 GMT https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30328#M22176 rapoint_person 2011-03-10T18:53:22Z https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30329#M22177 <HTML><HEAD></HEAD><BODY><P>Do you have solved this problem? I have a similar situation in PAN 4.0.1. Why PAN don't have RPF for NAT traffic?</P></BODY></HTML> Sun, 03 Apr 2011 09:00:39 GMT https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30329#M22177 commcord 2011-04-03T09:00:39Z https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30330#M22178 <HTML><HEAD></HEAD><BODY><P>Exactly the same problem here.</P><P>Does anyone know if there is way around it using Source NAT rules? I've tried, but no luck so far...</P></BODY></HTML> Fri, 15 Jul 2011 15:01:45 GMT https://live.paloaltonetworks.com/t5/general-topics/help-setting-up-a-return-route/m-p/30330#M22178 slawek.kunach 2011-07-15T15:01:45Z